Eminyakeni embalwa edlule, i-Cisco ibikhuthaza ngenkuthalo ukwakheka okusha kokwakha inethiwekhi yokudluliswa kwedatha esikhungweni sedatha - Ingqalasizinda Yohlelo Lokusebenza (noma i-ACI). Abanye sebejwayelene nayo. Futhi abanye baze bakwazi ukuyisebenzisa ezinkampanini zabo, kuhlanganise naseRussia. Kodwa-ke, kochwepheshe abaningi be-IT kanye nabaphathi be-IT, i-ACI kusengaba isifinyezo esingacacile noma nje ukubonakaliswa kwekusasa.
Kulesi sihloko sizozama ukusondeza lelikusasa. Ukuze senze lokhu, sizokhuluma ngezingxenye eziyinhloko ze-ACI, futhi sibonise ukuthi ingasetshenziswa kanjani ekusebenzeni. Ngaphezu kwalokho, esikhathini esizayo esiseduze sizohlela ukuboniswa okubonakalayo kwe-ACI, lapho noma yimuphi uchwepheshe we-IT onentshisekelo angabhalisela khona.
Ungafunda kabanzi mayelana nesakhiwo esisha senethiwekhi e-St. Petersburg ngoMeyi 2019. Yonke imininingwane ingaphakathi . Bhalisela!
prehistory
Imodeli yokwakhiwa kwenethiwekhi yendabuko nedume kakhulu imodeli yezinga eliphezulu yezinga eliphezulu: okuyisisekelo -> ukusatshalaliswa (ukuhlanganisa) -> ukufinyelela. Iminyaka eminingi, le modeli bekuyindinganiso; abakhiqizi bakhiqiza amadivaysi enethiwekhi ahlukahlukene ngokusebenza okufanele kwawo.
Ngaphambilini, lapho ubuchwepheshe bolwazi buwuhlobo lwe-appendage edingekayo (futhi, ngokungananazi, engathandeki njalo) ebhizinisini, le modeli yayilula, i-static kakhulu futhi inokwethenjelwa. Kodwa-ke, manje njengoba i-IT ingomunye wabashayeli bokuthuthukiswa kwebhizinisi, futhi ezimweni eziningi ibhizinisi ngokwalo, isimo esimile salo modeli sesiqalile ukubangela izinkinga ezinkulu.
Ibhizinisi lesimanje likhiqiza inani elikhulu lezidingo eziyinkimbinkimbi ezihlukene zengqalasizinda yenethiwekhi. Impumelelo yebhizinisi incike ngqo esikhathini sokusetshenziswa kwalezi zidingo. Ukubambezeleka ezimweni ezinjalo akwamukeleki, futhi imodeli ye-classical yokwakha inethiwekhi ngokuvamile ayivumeli ukuhlangabezana nazo zonke izidingo zebhizinisi ngesikhathi esifanele.
Isibonelo, ukuvela kwesicelo sebhizinisi esisha esiyinkimbinkimbi kudinga abaphathi benethiwekhi ukuthi benze inani elikhulu lemisebenzi yejwayelo kunombolo enkulu yamadivayisi enethiwekhi ahlukene emazingeni ahlukene. Ngaphezu kokuchitha isikhathi, kwandisa ingozi yokwenza iphutha, okungaholela ekunciphiseni okukhulu kwezinsizakalo ze-IT futhi, ngenxa yalokho, ukulahlekelwa yimali.
Umsuka wenkinga awuwona ngisho umnqamulajuqu ngokwawo noma ubunkimbinkimbi bezidingo. Iqiniso liwukuthi lezi zidingo zidinga "ukuhunyushwa" kusukela olimini lwezinhlelo zebhizinisi kuya olimini lwengqalasizinda yenethiwekhi. Njengoba wazi, noma yikuphi ukuhumusha kuhlale kulahlekelwa incazelo. Lapho umnikazi wohlelo ekhuluma ngokunengqondo kwesicelo sakhe, umlawuli wenethiwekhi uqonda isethi yama-VLAN, Uhlu lokufinyelela kunqwaba yamadivayisi adinga ukusekelwa, ukubuyekezwa kanye nokubhalwa phansi.
Ulwazi oluqoqiwe nokuxhumana okuqhubekayo namakhasimende kwavumela i-Cisco ukuthi idizayine futhi isebenzise izimiso ezintsha zokwakha inethiwekhi yokudluliswa kwedatha yesikhungo sedatha ehlangabezana namathrendi esimanje futhi esekelwe, okokuqala, ekucabangeleni kwezicelo zebhizinisi. Ngakho-ke igama - Ingqalasizinda Emaphakathi Yohlelo Lokusebenza.
I-ACI Architecture.
Kulungile kakhulu ukucabangela ukwakheka kwe-ACI hhayi ohlangothini olubonakalayo, kodwa kusukela ohlangothini olunengqondo. Isekelwe kumodeli yezinqubomgomo ezizenzakalelayo, izinto zazo ezingeni eliphezulu zingahlukaniswa zibe izingxenye ezilandelayo:
- Inethiwekhi esuselwe kumaswishi e-Nexus.
- Iqoqo lesilawuli se-APIC;
- Amaphrofayili ohlelo lokusebenza;
Ake sibheke izinga ngalinye ngokuningiliziwe - futhi sizosuka kokulula kuye kokuyinkimbinkimbi.
Inethiwekhi esuselwe kumaswishi e-Nexus
Inethiwekhi efekthri ye-ACI ifana nemodeli ye-hierarchical yendabuko, kodwa ilula kakhulu ukuyakha. Imodeli ye-Leaf-Spine isetshenziselwa ukuhlela inethiwekhi, osekuphenduke indlela eyamukelwa ngokuvamile yokusebenzisa amanethiwekhi esizukulwane esilandelayo. Le modeli inamazinga amabili: Umgogodla kanye neLeaf, ngokulandelana.
Izinga Lomgogodla linesibopho sokusebenza kuphela. Ukusebenza okuphelele kokushintshwa kwe-Spine kuyalingana nokusebenza kwendwangu yonke, ngakho-ke amaswishi ane-40G noma amachweba aphezulu kufanele asetshenziswe kuleli zinga.
Amaswishi omgogodla axhuma kuwo wonke amaswishi ezingeni elilandelayo: Amaswishi eqabunga, lapho abasingathi ekugcineni baxhumeke khona. Iqhaza elikhulu lokushintshwa kweLeaf umthamo wembobo.
Ngakho-ke, izinkinga zokulinganisa zixazululwa kalula: uma sidinga ukwandisa ukuphuma kwendwangu, sengeza ukushintshwa kwe-Spine, futhi uma sidinga ukwandisa umthamo we-port, sengeza i-Leaf.
Kuwo womabili amaleveli, kusetshenziswa ukushintsha kochungechunge lwe-Cisco Nexus 9000, okuyithuluzi le-Cisco eliyinhloko lokwakha amanethiwekhi esikhungo sedatha, kungakhathaliseki ukuthi yimaphi ama-architecture. Okwesendlalelo somgogodla, kusetshenziswa amaswishi e-Nexus 9300 noma e-Nexus 9500, futhi kuLeaf kuphela i-Nexus 9300.
Ububanzi bemodeli yokushintsha kwe-Nexus asetshenziswa efekthri ye-ACI buboniswa esithombeni esingezansi.
I-APIC (I-Application Policy Infrastructure Controller) Iqoqo Lokulawula
Izilawuli ze-APIC zingamaseva angokwenyama akhethekile, kuyilapho ekusetshenzisweni okuncane kungenzeka ukusebenzisa iqoqo lesilawuli esisodwa somzimba we-APIC kanye nezimbili ezibonakalayo.
Izilawuli ze-APIC zinikeza imisebenzi yokulawula nokuqapha. Okubalulekile ukuthi abalawuli abalokothi babambe iqhaza ekudlulisweni kwedatha, okungukuthi, noma ngabe bonke abalawuli beqoqo behluleka, lokhu ngeke kuthinte ukuzinza kwenethiwekhi nhlobo. Kufanele futhi kuqashelwe ukuthi ngosizo lwama-APIC, umlawuli ulawula ngokuphelele zonke izinsiza ezibonakalayo nezinengqondo zefektri, futhi ukuze enze noma yiziphi izinguquko, asisadingeki ukuxhuma kudivayisi ethile, ngoba i-ACI isebenzisa i- iphuzu elilodwa lokulawula.
Manje ake sidlulele kwenye yezingxenye eziyinhloko ze-ACI - amaphrofayili wohlelo lokusebenza.
Iphrofayili Yenethiwekhi Yohlelo Lokusebenza isisekelo esinengqondo se-ACI. Amaphrofayela ohlelo lokusebenza achaza izinqubomgomo zokusebenzisana phakathi kwawo wonke amasegimenti enethiwekhi futhi achaze amasegimenti enethiwekhi ngokwawo. I-ANP ikuvumela ukuthi ukhiphe ungqimba olubonakalayo futhi, empeleni, ucabange ukuthi udinga ukuhlela kanjani ukuxhumana phakathi kwamasegimenti enethiwekhi ahlukene ukusuka endaweni yokubuka yesicelo.
Iphrofayili yohlelo lokusebenza iqukethe amaqembu okuxhumana (Amaqembu e-End-point - EPG). Iqembu lokuxhumana liyiqembu elinengqondo labasingathi (imishini ebonakalayo, amaseva aphathekayo, iziqukathi, njll.) atholakala esigabeni esifanayo sokuvikela (hhayi inethiwekhi, kodwa ukuphepha). Abasingathi bokugcina abangabe-EPG ethile banganqunywa ngenani elikhulu lemibandela. Okulandelayo kuvame ukusetshenziswa:
- Ichweba elingokoqobo
- Imbobo enengqondo (iqembu lembobo ekushintsheni okubonakalayo)
- I-VLAN ID noma i-VXLAN
- Ikheli le-IP noma i-subnet ye-IP
- Izibaluli zeseva (igama, indawo, inguqulo ye-OS, njll.)
Ngokusebenzelana kwama-EPG ahlukene, ibhizinisi elibizwa ngokuthi izinkontileka liyanikezwa. Inkontileka ichaza ubudlelwano phakathi kwama-EPG ahlukene. Ngamanye amazwi, inkontileka ichaza ukuthi iyiphi isevisi ehlinzekwa yi-EPG kwenye i-EPG. Isibonelo, sidala inkontileka evumela ithrafikhi ukuthi igeleze phezu kwephrothokholi ye-HTTPS. Okulandelayo, sixhuma nale nkontileka, isibonelo, i-EPG Web (iqembu lamaseva ewebhu) kanye ne-EPG App (iqembu lamaseva ohlelo lokusebenza), ngemva kwalokho la maqembu amabili wokugcina angashintshanisa ithrafikhi ngephrothokholi ye-HTTPS.
Isibalo esingezansi sichaza isibonelo sokusetha ukuxhumana phakathi kwama-EPG ahlukene ngezinkontileka ngaphakathi kwe-ANP efanayo.
Kungaba nanoma iyiphi inombolo yamaphrofayili ohlelo lokusebenza ngaphakathi kwemboni ye-ACI. Ngaphezu kwalokho, izinkontileka aziboshelwe kuphrofayela ethile yesicelo; zingakwazi (futhi kufanele) zisetshenziswe ukuxhuma ama-EPG kuma-ANP ahlukene.
Eqinisweni, uhlelo lokusebenza ngalunye oludinga inethiwekhi ngendlela eyodwa noma enye luchazwa iphrofayili yalo. Isibonelo, umdwebo ongenhla ubonisa ukwakheka okujwayelekile kohlelo lokusebenza olunezigaba ezintathu, okuhlanganisa inombolo engu-N yamaseva okufinyelela kwangaphandle (Iwebhu), amaseva ohlelo lokusebenza (Uhlelo lokusebenza) namaseva e-DBMS (DB), futhi uchaza imithetho yokusebenzisana phakathi bona. Kungqalasizinda yenethiwekhi evamile, lokhu kuzoba isethi yemithetho ebhalwe kuwo wonke amadivayisi ahlukahlukene kwingqalasizinda. Esakhiweni se-ACI, sichaza le mithetho ngaphakathi kwephrofayili yohlelo lokusebenza olulodwa. I-ACI, isebenzisa iphrofayili yohlelo lokusebenza, yenza kube lula kakhulu ukudala inombolo enkulu yezilungiselelo kumadivayisi ahlukene ngokuwahlanganisa wonke abe iphrofayela eyodwa.
Isithombe esingezansi sibonisa isibonelo esingokoqobo. Iphrofayili yesicelo se-Microsoft Exchange eyenziwe ngama-EPG amaningi nezinkontileka.
Ukuphatha okuphakathi, ukuzenzekelayo kanye nokuqapha kungenye yezinzuzo ezibalulekile ze-ACI. I-ACI Factory ikhulula abaphathi bomsebenzi oyisicefe wokudala inombolo enkulu yemithetho ekushintsheni okuhlukahlukene, ama-routers nama-firewall (ngenkathi indlela yokucushwa yakudala ivunyelwe futhi ingasetshenziswa). Izilungiselelo zamaphrofayili wohlelo lokusebenza nezinye izinto ze-ACI zisetshenziswa ngokuzenzakalelayo kuyo yonke indwangu ye-ACI. Ngisho nalapho ushintshela amaseva ngokomzimba kwamanye amachweba okushintsha kwendwangu, asikho isidingo sokuphinda izilungiselelo kusuka ekushintsheni amadala ukuya kwezintsha futhi usule imithetho engadingekile. Ngokusekelwe kumibandela yobulungu be-EPG yomsingathi, ifekthri izokwenza lezi zilungiselelo ngokuzenzakalelayo futhi ihlanze ngokuzenzakalelayo imithetho engasetshenzisiwe.
Izinqubomgomo zokuphepha ze-ACI ezihlanganisiwe zisetshenziswa njengohlu olumhlophe, okusho ukuthi okungavunyelwe ngokusobala kunqatshelwe ngokuzenzakalela. Kanye nokubuyekezwa okuzenzakalelayo kokucushwa kwemishini yenethiwekhi (ukususa imithetho nezimvume ezingasetshenzisiwe "ezikhohliwe", le ndlela inyusa kakhulu izinga lokuphepha kwenethiwekhi futhi inciphise indawo yokuhlasela okungenzeka.
I-ACI ikuvumela ukuthi uhlele ukusebenzisana kwenethiwekhi hhayi kuphela kwemishini ebonakalayo neziqukathi, kodwa futhi namaseva angokwenyama, ama-firewall we-hardware kanye nemishini yenethiwekhi yomuntu wesithathu, okwenza i-ACI ibe yisixazululo esiyingqayizivele okwamanje.
Indlela entsha ye-Cisco yokwakha inethiwekhi yedatha esekelwe kumqondo wohlelo lokusebenza ayigcini nje ngokuzenzakalelayo, ukuphepha kanye nokuphatha okumaphakathi. Futhi iyinethiwekhi yesimanje evundlile ekalayo ehlangabezana nazo zonke izidingo zebhizinisi lesimanje.
Ukuqaliswa kwengqalasizinda yenethiwekhi esekelwe ku-ACI kuvumela yonke iminyango yebhizinisi ukuthi ikhulume ulimi olufanayo. Umlawuli uqondiswa kuphela nge-logic yesicelo, echaza imithetho edingekayo kanye nokuxhumana. Kanye nengqondo yesicelo, abanikazi nabathuthukisi bohlelo lokusebenza, isevisi yezokuphepha yolwazi, osomnotho kanye nabanikazi bamabhizinisi baqondiswa yikho.
Ngakho, i-Cisco isebenzisa umqondo wenethiwekhi yesikhungo sedatha yesizukulwane esilandelayo. Ufuna ukuzibonela lokhu? Wozani embukisweni Ingqalasizinda Yohlelo Lokusebenza e-St. Petersburg futhi usebenze nenethiwekhi yesikhungo sedatha yesikhathi esizayo manje.
Ungakwazi ukubhalisela umcimbi .
Source: www.habr.com