Nginesiqiniseko sokuthi bonke abafundi be-Habr okungenani ba-ode izimpahla ezitolo eziku-inthanethi phesheya bese beya kokwamukela amaphasela e-Russian Post office. Ungasibona ngeso lengqondo ubukhulu balo msebenzi, ngokombono wokuhlela izinto? Phindaphinda inani labathengi ngenani lokuthenga kwabo, cabanga imephu yezwe lethu elikhulu, futhi kulo kunamahhovisi eposi angaphezu kwezinkulungwane ze-40 ... Ngendlela, ngo-2018, i-Russian Post icubungule amaphasela amazwe ayizigidi ezingu-345.
Kulesi sihloko sizokutshela ukuthi yiziphi izinkinga u-Pochta abhekane nazo nokuthi ithimba le-LANIT Integration lizixazulule kanjani, lakha ingqalasizinda entsha ye-IT yezikhungo zedatha.
Esinye sezikhungo zesimanje Logistics of Russian Post
Ngaphambi kwephrojekthi
Ngenxa yokwanda okukhulu kwenani lamaphasela avela ezitolo zakwamanye amazwe e-China, eNtshonalanga Yurophu naseNyakatho Melika, umthwalo ezikhungweni ze-logistics ze-Russian Post unyukile. Ngakho-ke, kwakhiwa izikhungo zesizukulwane esisha, ezisebenzisa imishini yokuhlunga esebenza kahle kakhulu. Badinga ukwesekwa nengqalasizinda yekhompyutha.
Ingqalasizinda yesikhungo sedatha ibiphelelwe yisikhathi futhi ayizange inikeze ukusebenza okudingekayo nokuthembeka ekusebenzeni kwezinhlelo zolwazi lwebhizinisi. Futhi, i-Russian Post ihlangabezane nokuntuleka kwamandla ekhompiyutha ukwethula izinsizakalo ezintsha.
Izikhungo zedatha yekhasimende nezinkinga zazo
Izikhungo zedatha ye-Russian Post zisebenzela izikhungo ezingaphezu kuka-40 kanye neminyango yezindawo ezingama-000. Izikhungo zedatha zisebenzisa inqwaba yezinsizakalo zebhizinisi ezingama-85/XNUMX, okuhlanganisa nezinsizakalo ze-e-commerce.
Namuhla, amabhizinisi asebenzisa amasistimu okugcina, ukuhlaziya nokucubungula idatha enkulu. Kumasistimu anjalo, ukusetshenziswa kobuhlakani bokwenziwa kanye nama-algorithms okufunda komshini kudlala indima ebalulekile. Namuhla, elinye lamacala abaluleke kakhulu ebhizinisini ukuthuthukisa ukuphathwa kokugeleza kwempahla kanye nokusheshisa isevisi yamakhasimende emahhovisi eposi.
Ngaphambi kokuqala kwephrojekthi yesimanje, bekunemishini ebonakalayo engaba ngu-3000 ezikhungweni zedatha eziyinhloko nezokusekela, ivolumu yolwazi olugciniwe idlule ama-petabytes angu-2. Izikhungo zedatha zibe nesakhiwo somzila wethrafikhi esiyinkimbinkimbi esihlotshaniswa nokuhlukaniswa ngamasegimenti ahlukahlukene ngokuya ngamaleveli okuphepha.
Ngokuthuthukiswa kwezinhlelo zokusebenza kanye nokwethulwa kwezinsizakalo ezintsha, umkhawulokudonsa okhona wemishini yenethiwekhi ezikhungweni zedatha akwanele. Ukushintshela kokuxhumana ngesivinini esisha kwakudingeka: 10 Gbit/s, esikhundleni sika-1 Gbit/s ekufinyeleleni kanye no-40 Gbit/s ezingeni eliyinhloko, nokungadingeki ngokugcwele kwemishini namashaneli okuxhumana.
Umnyango wezokuphepha wolwazi uthole imfuneko yokuhlukanisa ingqalasizinda ibe izingxenye ezinezinga eliphezulu lokuphepha kolwazi lwethrafikhi nezicelo (PN - Private Network and DMZ - Demilitarized Zone). Ithrafikhi idlule kuma-firewall (ama-FWU) ayengadingi ukuhlungwa. I-VRF kumaswishi ayizange isetshenziselwe le thrafikhi. Imithetho ku-firewall ibingekho kahle kakhulu (amashumi ezinkulungwane zemithetho kusikhungo ngasinye sedatha).
Ukuhamba okungenazihibe kwemishini ebonakalayo (ama-VM) phakathi kwezikhungo zedatha kuyilapho kugcinwa ikheli lasesizindeni se-inthanethi kanye nendlela elungile yethrafikhi phakathi kwamasegimenti, okuhlanganisa nenethiwekhi yedatha yebhizinisi (CDN), kwakungenakwenzeka.
I-MSTP isetshenziselwe ukwenza ikhophi yasenqolobaneni; ezinye izimbobo ziye zavinjwa (okubekwe eceleni okushisayo). Ukushintsha okuyisisekelo nokufinyelela akuzange kuhlanganiswe kube yiqoqo le-faillover, futhi ukuhlanganiswa kwe-interface (LAG) akuzange kusetshenziswe.
Ngokufika kwesikhungo sedatha sesithathu, ukwakhiwa okusha nemishini kwadingeka ukuze kusetshenziswe indandatho phakathi kwezikhungo zedatha (kwahlongozwa i-EVPN).
Kwakungekho mqondo obumbene wokuthuthukiswa kwezikhungo zedatha, obhalwe ngendlela yephrojekthi futhi okuvunyelwene ngayo nayo yonke iminyango yekhasimende. Imibhalo yamanje yokusebenza kwenethiwekhi ibingaphelele futhi isiphelelwe yisikhathi.
Okulindelwe ngamakhasimende
Ithimba lephrojekthi libhekane nale misebenzi elandelayo:
- lungisa umqondo wezakhiwo nokuthuthukiswa wokwakha ingqalasizinda yenethiwekhi neseva yesikhungo sedatha sesithathu;
- ukwenza ucwaningo lokusebenza kwenethiwekhi ekhona yekhasimende;
- wandise umthamo wenethiwekhi yenethiwekhi ngezimbobo ze-Ethernet ezingaphezu kuka-1500 10/40 Gbit/s kusikhungo ngasinye sedatha (izimbobo ezingu-4500 sezizonke);
- ukuqinisekisa ukusebenza kweringi phakathi kwezikhungo zedatha ezintathu ezinekhono lokukhulisa isivinini sifike ku-80 Gbit/s esigabeni ngasinye ukuze kuhlanganiswe izinsiza zekhompuyutha zekhasimende ezivela ezikhungweni zedatha ezihlukene zibe uhlelo olulodwa lwe-IT;
- ukuhlinzeka ngokugodla okuphindwe kabili okungu-100% kwazo zonke izici zenethiwekhi ukuze kuzuzwe Isikhathi Esibekiwe esihlosiwe ezingeni lama-99,995%;
- ukunciphisa ukubambezeleka kwethrafikhi phakathi kwemishini ebonakalayo ukuze kusheshiswe izinhlelo zebhizinisi;
- qoqa izibalo, wenze ukuhlaziya futhi wenze ukulungiselelwa okulandelayo kwemithetho yokuhlunga kwethrafikhi ezikhungweni zedatha (ekuqaleni bekunemithetho engaba ngu-80);
- thuthukisa ukwakheka okuhlosiwe ukuze kuqinisekiswe ukufuduka okungenazihibe kwezinhlelo zokusebenza zebhizinisi ezibucayi zekhasimende kunoma yiziphi izikhungo zedatha ezintathu.
Ngakho kwakukhona okwakudingeka silungise kukho.
Izinsiza
Ake sibhekisise ukuthi yiziphi izinto esizisebenzise kuphrojekthi.
I-Firewall (NGWF) USG9560:
- ukuhlukaniswa nge-VSYS;
- kufika ku-720 Gbps;
- kufika ku-720 million amaseshini ngesikhathi esisodwa;
- 8 izikhala.
Umzila NE40E-X8:
- kufika ku-7,08 Tbit/s Amandla Wokushintsha;
- kuze kufike ku-2,880 Mpps Ukudlulisa Ukusebenza;
- Izikhala eziyi-8 zamakhadi omugqa (LPU);
- kufika ku-10M wemizila ye-BGP IPv4 MPU ngayinye;
- kufika ku-1500K OSPF IPv4 imizila nge-MPU ngayinye;
- kufika ku-3000K β IPv4 FIB (kuye nge-LPU).
Ukushintsha kwe-CE12800 Series:
- I-Virtualization Yedivayisi: VS (1:16 virtualization), Cluster Switch System (CSS), Super Virtual Fabric (SVF);
- I-Network Virtualization: I-M-LAG, i-TRILL, i-VXLAN ne-VXLAN bridging, i-QinQ ku-VXLAN, i-EVN (i-Ethernet Virtual Network);
- kusukela ku-VRP V2, ukusekelwa kwe-EVPN kufakiwe;
- I-M-LAG β i-analogue ye-vPC (i-virtual Port Channel) ye-Cisco Nexus;
- I-Virtual Spanning Tree Protocol (VSTP) - Ihambisana ne-Cisco PVST.
CE12804
CE12808
Isofthiwe
Kuphrojekthi sisebenzise:
- Isiguquli samafayela wokumisa i-firewall asuka kwabanye abathengisi abe yifomethi yomyalo wemishini emisha;
- imibhalo yokuphathelene yokuthuthukisa nokuguqula ukucushwa kwe-firewall.
Ukubukeka kwesiguquli sokuguqula amafayela okumisa
Uhlelo lokuhlela ukuxhumana phakathi kwezikhungo zedatha (EVPN VXLAN)
Ama-nuances wokusetha imishini
CE12808
- I-EVPN (ejwayelekile) esikhundleni se-EVN (i-Huawei proprietary) yokuxhumana phakathi kwezikhungo zedatha:
β L2 phezu kwe-L3 usebenzisa i-iBGP endizeni Yokulawula;
β Ukuqeqeshwa kwe-MAC kanye nokukhangisa kwabo ngomndeni we-iBGP EVPN (imizila ye-MAC, uhlobo 2);
β ukwakhiwa okuzenzakalelayo kwemigudu ye-VXLAN yokusakaza / ithrafikhi ye-unicast engaziwa (Imizila Ehlanganisiwe ye-Multicast, thayipha 3). - Izindlela ezimbili zokuhlukanisa ku-VS:
β ngokusekelwe kuzimbobo (imbobo yemodi yembobo) noma ngokusekelwe ku-ASIC (iqembu lemodi yembobo, bonisa imephu yembobo yedivayisi);
β isixhumi esibonakalayo esihlukanisa imbobo esingu-40GE sisebenza KUPHELA ku-Admin VS (kungakhathaleki ukuthi iyiphi imodi yembobo).
USG9560
- kungenzeka ukuhlukaniswa yi-VSYS,
- Umzila onamandla nokuvuza komzila akunakwenzeka phakathi kwe-VSYS!
CE12804
Yonke i-Active GW (VRRP Master/Master/Master) enokuhlunga kwe-MAC VRRP phakathi kwezikhungo zedatha
acl number 4000
rule 5 deny source-mac 0000-5e00-0100 ffff-ffff-ff00
rule 10 deny destination-mac 0000-5e00-0100 ffff-ffff-ff00
rule 15 permit
interface Eth-Trunk1
traffic-filter acl 4000 outbound
Uhlelo lokusebenzelana kwensiza phakathi kwezikhungo zedatha (VXLAN EVPN kanye ne-All Active GW)
Izinkinga zephrojekthi
Ubunzima obukhulu bekuwukusekela izinhlelo zokusebenza ezikhona kusetshenziswa ingqalasizinda yekhompyutha. Ikhasimende lalinezicelo ezehlukene ezingaphezu kwekhulu, ezinye zazo ezabhalwa cishe eminyakeni eyi-100 edlule. Isibonelo, uma ku-Yandex ungakwazi ukucisha kalula amakhulu ambalwa imishini ebonakalayo ngaphandle kokulimala kubasebenzisi bokugcina, khona-ke ku-Russian Post indlela enjalo izodinga ukuthuthukiswa kwezinhlelo zokusebenza eziningi kusukela ekuqaleni kanye nezinguquko ekwakhiweni kwezinhlelo zolwazi lwebhizinisi. Sixazulule izinkinga eziqubuke ngesikhathi sokufuduka kanye nenqubo yokuthuthukisa ezingeni lokucwaningwa kwamabhuku okuhlanganyelwe kwengqalasizinda yekhompyutha. Bonke ubuchwepheshe benethiwekhi obusha ebhizinisini (njenge-EVPN) buye bahlolwa okokuqala elabhorethri.
Imiphumela yephrojekthi
Ithimba lephrojekthi lalihlanganisa ochwepheshe , ikhasimende kanye nabalingani balo ekusebenzeni kwengqalasizinda yekhompyutha. Amaqembu okusekela azinikele avela kubathengisi (Check Point kanye neHuawei) nawo asungulwa. Lo msebenzi wathatha iminyaka emibili. Yilokhu okwenziwa ngalesi sikhathi.
- Isu lokuthuthukiswa kwenethiwekhi yezikhungo zedatha, Inethiwekhi Yedatha Yebhizinisi (CDTN) kanye neringi phakathi kwezikhungo zedatha lenziwe futhi kwavunyelwana ngalo nayo yonke iminyango yekhasimende.
- Ukutholakala kwezinsizakalo kwenyukile. Lokhu kuphawulwe yibhizinisi lekhasimende futhi kwaholela ekwenyukeni okukhulu kwezimoto ngenxa yokwethulwa kwezinsizakalo ezintsha.
- Imithetho engaphezu kuka-40 ithuthiwe futhi yathuthukiswa kusukela ku-FWSM/ASA kuya ku-USG 000. Izimo ezihlukile ze-ASA ku-UGG 9560 zihlanganiswe zaba inqubomgomo yokuphepha eyodwa.
- Ukusetshenziswa kwamachweba esikhungo sedatha kunyusiwe kusuka ku-1G kuya ku-10/40G ngokusebenzisa i-CE12800/CE6850. Lokhu kwenze kwaba nokwenzeka ukuqeda ukugcwala kwe-interface nokulahlekelwa kwamaphakethe.
- Amarutha enkampani yenethiwekhi i-NE40E-X8 amboze ngokugcwele izidingo zesikhungo sedatha yekhasimende nesikhungo sokudlulisa idatha, kucatshangelwa ukuthuthukiswa kwebhizinisi kwesikhathi esizayo.
- Kucelwe Izicelo Ezintsha Eziyisishiyagalombili ze-USG 9560. Kulezi, eziyisikhombisa seziqalisiwe futhi zifakiwe enguqulweni yamanje ye-VRP. 1 FR - izosetshenziswa ku-Huawei R&D. Leli iqoqo le-chassis eyisishiyagalombili elinamandla okumisa ukusebenza okudingekayo kokuvumelanisa ukulungiselelwa ngaphandle kokuvumelanisa isikhathi. Kudingeka uma ukubambezeleka kwethrafikhi kwenye yezikhungo zedatha kukukhulu kakhulu (Adler - Moscow 1300 km ngomzila omkhulu kanye no-2800 km ngomzila wokubhuka).
Le phrojekthi ayinazo ama-analogue uma kuqhathaniswa nezinye izinkampani zeposi zaseRussia.
Ukwenziwa kwesimanjemanje kwengqalasizinda yenethiwekhi yezikhungo zedatha kuvule amathuba amasha ebhizinisi lokuthuthukisa izinsiza zedijithali.
- Ukunikeza i-akhawunti yomuntu siqu kanye nesicelo seselula sabantu ngabanye nezinhlangano ezisemthethweni.
- Ukuhlanganiswa nezitolo ze-elekthronikhi ukuhlinzeka ngezinsizakalo zokulethwa kwezimpahla.
- Ukugcwaliseka - ukugcinwa kwezimpahla, ukwakheka kanye nokulethwa kwama-oda ezitolo ze-elekthronikhi.
- Ukwandisa izindawo zokulanda i-oda, okuhlanganisa ukusebenzisa amanethiwekhi asebenzisanayo.
- Ukugeleza kwedokhumenti ebalulekile ngokusemthethweni nabalingani. Lokhu kuzoqeda ukuthunyelwa kancane nokubiza kwemibhalo yamaphepha.
- Ukwamukelwa kwezinhlamvu ezibhalisiwe nge-elekthronikhi zilethwa kokubili nge-elekthronikhi nangefomu lephepha (ngokuphrinta izinto eziseduze ngangokunokwenzeka kumamukeli wokugcina). Isevisi yezincwadi ezibhaliswe ngogesi kuphothali yezinsizakalo zomphakathi.
- Inkundla yokuhlinzeka ngezinsizakalo ze-telemedicine.
- Ukwamukela okwenziwe lula nokulethwa lula kwemeyili ebhalisiwe kusetshenziswa isiginesha ye-elekthronikhi elula.
- Ukwenziwa ngedijithali kwenethiwekhi yeposi.
- Ukuklama kabusha izinsiza zokuzisiza (amatheminali namaphasela).
- Ukwakhiwa kwenkundla yedijithali yokuphatha isevisi ye-courier kanye nesicelo esisha seselula samakhasimende esevisi ye-courier.
Woza usebenze nathi!
Source: www.habr.com