Linganisa ukuxhumana phakathi nendawo yomdwebo. Sizobuyela kubo ngezansi
Kwesinye isikhathi, ungathola ukuthi amanethiwekhi amakhulu, ayinkimbinkimbi asekelwe ku-L2 agulela ukufa. Okokuqala, izinkinga ezihlobene nokucubungula ithrafikhi ye-BUM kanye nokusebenza kwephrothokholi ye-STP. Okwesibili, i-architecture ngokuvamile ayisebenzi. Lokhu kubangela izinkinga ezingajabulisi ngendlela yezikhathi zokuphumula kanye nokuphatha okungahambi kahle.
Sibe namaphrojekthi amabili afanayo, lapho amakhasimende ahlola ngokucophelela zonke izinzuzo nezingozi zezinketho futhi akhetha izixazululo ezimbili ezihlukene zokumbondela, futhi sazisebenzisa.
Kube khona ithuba lokuqhathanisa ukuqaliswa. Hhayi ukuxhaphaza; kufanele sikhulume ngakho eminyakeni emibili noma emithathu.
Ngakho-ke, iyini indwangu yenethiwekhi enamanethiwekhi ambondelanayo kanye ne-SDN?
Yini okufanele uyenze ngezinkinga ezicindezelayo ze-classical network architecture?
Njalo ngonyaka kuvela ubuchwepheshe obusha nemibono. Empeleni, isidingo esiphuthumayo sokwakha kabusha amanethiwekhi asizange sivele isikhathi eside, ngoba ukwenza konke ngesandla usebenzisa izindlela ezinhle zakudala nakho kungenzeka. Manje kuthiwani uma kuyikhulu lamashumi amabili nanye? Phela umlawuli kufanele asebenze, angahlali ehhovisi lakhe.
Kwabe sekuqala intuthuko ekwakhiweni kwezikhungo ezinkulu zedatha. Kwabe sekubonakala ukuthi umkhawulo wokuthuthukiswa kwezakhiwo zakudala wawufinyelelwe, hhayi kuphela mayelana nokusebenza, ukubekezelela amaphutha, kanye nokuqina. Futhi enye yezinketho zokuxazulula lezi zinkinga kwakuwumqondo wokwakha amanethiwekhi ayimbondela phezu komgogodla othuthelwe.
Ukwengeza, ngokunyuka kwesilinganiso samanethiwekhi, inkinga yokuphatha izimboni ezinjalo iye yaba nzima, ngenxa yalokho izixazululo zenethiwekhi ezichazwe yi-software zaqala ukuvela nekhono lokuphatha yonke ingqalasizinda yenethiwekhi njengento eyodwa. Futhi uma inethiwekhi iphethwe ukusuka endaweni eyodwa, kuba lula kwezinye izingxenye zengqalasizinda ye-IT ukuthi zihlanganyele nayo, futhi izinqubo ezinjalo zokusebenzisana kulula ukuzenza ngokuzenzakalelayo.
Cishe wonke umkhiqizi omkhulu wezinto zokusebenza zenethiwekhi kuphela, kodwa futhi ne-virtualization, unezinketho zezixazululo ezinjalo kuphothifoliyo yayo.
Okusele wukuthola ukuthi yini elungele izidingo. Isibonelo, ezinkampanini ezinkulu ikakhulukazi ezineqembu elihle lokuthuthuka nokusebenza, izixazululo ezipakishiwe ezivela kubathengisi azizanelisi zonke izidingo ngaso sonke isikhathi, futhi ziphendukela ekuzakheleni ezazo izixazululo ze-SD (software echaziwe). Isibonelo, laba ngabahlinzeki bamafu abahlale bekhulisa ububanzi bezinsizakalo ezinikezwa amakhasimende abo, futhi izixazululo ezipakishiwe azikwazi ukuhambisana nezidingo zabo.
Ezinkampanini ezisezingeni eliphakathi, ukusebenza okunikezwa umthengisi ngendlela yesisombululo sebhokisi kwanele kumaphesenti angama-99 wamacala.
Ayini amanethiwekhi ambondelanayo?
Uyini umbono ngemuva kwamanethiwekhi ambondelanayo? Empeleni, uthatha inethiwekhi yakudala futhi wakhe enye inethiwekhi phezu kwayo ukuze uthole izici ezengeziwe. Ngokuvamile, sikhuluma ngokusabalalisa ngempumelelo umthwalo kumishini kanye nemigqa yokuxhumana, okwandisa kakhulu umkhawulo wokulinganisa, ukwandisa ukuthembeka kanye nenqwaba yezinto zokuphepha (ngenxa yokuhlukaniswa). Futhi izixazululo ze-SDN, ngaphezu kwalokhu, zinikeza ithuba lokuphatha okuguquguqukayo kakhulu, okulula kakhulu futhi kwenza inethiwekhi ibe sobala kubathengi bayo.
Sekukonke, ukube amanethiwekhi endawo ayeqanjwe ngeminyaka yawo-2010s, ngabe abukeka ehluke kakhulu kulokho esakuzuza njengefa kwezempi ngeminyaka yawo-1970.
Ngokuphathelene nobuchwepheshe bokwakha izindwangu usebenzisa amanethiwekhi ambondelanayo, okwamanje kukhona ukuqaliswa okuningi kwabathengisi kanye namaphrojekthi we-Internet RFC (EVPN+VXLAN, EVPN+MPLS, EVPN+MPLSoGRE, EVPN+Geneve nabanye). Yebo, kukhona izindinganiso, kodwa ukuqaliswa kwalezi zindinganiso ngabakhiqizi abahlukene kungase kuhluke, ngakho-ke lapho udala amafektri anjalo, kusengenzeka ukulahla ngokuphelele ukukhiya komthengisi kuphela ngombono ephepheni.
Ngesixazululo se-SD, izinto ziyadida nakakhulu; umthengisi ngamunye unombono wakhe. Kunezixazululo ezivuleke ngokuphelele ukuthi, ngombono, ungaziqedela, futhi kukhona ezivaliwe ngokuphelele.
I-Cisco inikeza inguqulo yayo ye-SDN yezikhungo zedatha - ACI. Ngokwemvelo, lesi yisixazululo se-100% esikhiyiwe umthengisi ngokukhetha imishini yenethiwekhi, kodwa ngesikhathi esifanayo ihlanganiswe ngokugcwele nezinhlelo ze-virtualization, i-containization, ukuphepha, i-orchestration, izilinganiso zokulayisha, njll. Kodwa empeleni, kuseyi- uhlobo lwebhokisi elimnyama, ngaphandle kokufinyelela okugcwele kuzo zonke izinqubo zangaphakathi. Akuwona wonke amakhasimende avuma le nketho, njengoba uncike ngokuphelele kwikhwalithi yekhodi yesixazululo ebhaliwe kanye nokuqaliswa kwayo, kodwa ngakolunye uhlangothi, umenzi unomunye wokusekelwa okungcono kakhulu kwezobuchwepheshe emhlabeni futhi uneqembu elizinikele elizinikele kuphela. kulesi sixazululo. I-Cisco ACI yakhethwa njengesixazululo sephrojekthi yokuqala.
Kuphrojekthi yesibili, isisombululo seJuniper sakhethwa. Umkhiqizi naye une-SDN yakhe yesikhungo sedatha, kodwa ikhasimende linqume ukungasebenzisi i-SDN. Indwangu ye-EVPN VXLAN ngaphandle kokusetshenziswa kwezilawuli ezimaphakathi ikhethwe njengobuchwepheshe bokwakha inethiwekhi.
Kwenzelweni?
Ukudala imboni ikuvumela ukuthi wakhe inethiwekhi enwebeka kalula, ebekezelela amaphutha, nethembekile. I-architecture (leaf-spine) icabangela izici zezikhungo zedatha (izindlela zethrafikhi, ukunciphisa ukubambezeleka kanye nezingqinamba kunethiwekhi). Izixazululo ze-SD ezikhungweni zedatha zikuvumela ukuthi ulawule kalula ifekthri enjalo futhi uyihlanganise ku-ecosystem yesikhungo sedatha.
Womabili amakhasimende ayedinga ukwakha izikhungo zedatha ezingasasebenzi ukuze kuqinisekiswe ukubekezelelana kwamaphutha, futhi ngaphezu kwalokho, ithrafikhi phakathi kwezikhungo zedatha kwadingeka ibethelwe.
Ikhasimende lokuqala lalivele licubungula izixazululo ezingenandwangu njengezinga elingenzeka lamanethiwekhi abo, kodwa ekuhlolweni libe nezinkinga ngokuhambisana kwe-STP phakathi kwabathengisi abambalwa bezingxenyekazi zekhompyutha. Kube nezikhathi zokungasebenzi ezidale ukuthi izinsizakalo ziphahlazeke. Futhi kukhasimende lokhu kwakubalulekile.
I-Cisco yayivele iyindinganiso yebhizinisi yekhasimende, babheka i-ACI nezinye izinketho futhi banquma ukuthi kufanelekile ukuthatha lesi sixazululo. Ngithande ukulawulwa okuzenzakalelayo okuvela enkinobho eyodwa ngesilawuli esisodwa. Amasevisi alungiswa ngokushesha futhi aphathwa ngokushesha. Sinqume ukuqinisekisa ukubethelwa kwethrafikhi ngokusebenzisa i-MACSec phakathi kwamaswishi e-IPN ne-SPINE. Ngakho-ke, sikwazile ukugwema ibhodlela ngendlela yesango le-crypto, londoloza kubo futhi usebenzise umkhawulokudonsa omkhulu.
Ikhasimende lesibili likhethe isisombululo esingenasilawuli esivela kuJuniper ngoba isikhungo sabo sedatha esikhona kakade sinokufaka okuncane okusebenzisa indwangu ye-EVPN VXLAN. Kepha lapho bekungabekezeleli amaphutha (kusetshenziswe iswishi eyodwa). Sinqume ukunweba ingqalasizinda yesikhungo sedatha esikhulu futhi sakhe imboni esikhungweni sedatha eyisipele. I-EVPN ekhona ayizange isetshenziswe ngokugcwele: I-VXLAN encapsulation ayizange isetshenziswe empeleni, njengoba bonke ababungazi babexhunywe ku-switch eyodwa, futhi wonke amakheli e-MAC kanye / / amakheli abamba angu-32 ayesendaweni, isango labo laliyi-switch efanayo, kwakungekho amanye amadivaysi. , lapho kwakudingeka khona ukwakha imigudu ye-VXLAN. Banqume ukuqinisekisa ukubethelwa kwethrafikhi kusetshenziswa ubuchwepheshe be-IPSEC phakathi kwama-firewall (ukusebenza kwe-firewall kwakwanele).
Baphinde bazama i-ACI, kodwa banquma ukuthi ngenxa yokukhiya umthengisi, kuzodingeka bathenge i-hardware eningi kakhulu, kuhlanganise nokushintsha imishini emisha esanda kuthengwa, futhi akuzange kube nomqondo wezomnotho. Yebo, indwangu yeCisco ihlanganisa nakho konke, kodwa kuphela amadivaysi ayo angenzeka ngaphakathi kwendwangu ngokwayo.
Ngakolunye uhlangothi, njengoba sishilo ekuqaleni, awukwazi nje ukuxuba indwangu ye-EVPN VXLAN nanoma yimuphi umthengisi ongumakhelwane, ngoba ukuqaliswa kwephrothokholi kuhlukile. Kufana nokuwela i-Cisco ne-Huawei kunethiwekhi eyodwa - kubonakala sengathi izindinganiso zivamile, kodwa kuzodingeka udanse ngethamborini. Njengoba leli kuyibhange, futhi izivivinyo zokuhambisana zizoba zinde kakhulu, sinqume ukuthi kungcono ukuthenga kumthengisi ofanayo manje, futhi singathatheki kakhulu ngokusebenza okungaphezu kwalokho okuyisisekelo.
Uhlelo lokufuduka
Izikhungo ezimbili zedatha esekwe ku-ACI:
Inhlangano yokusebenzisana phakathi kwezikhungo zedatha. Isixazululo se-Multi-Pod sikhethiwe - isikhungo sedatha ngasinye siyi-pod. Izidingo zokukala ngenani lokushintshwa nokubambezeleka phakathi kwama-pods (RTT ngaphansi kuka-50 ms) ziyabhekwa. Kwanqunywa ukuthi kungakhiwa isixazululo se-Multi-Site ukuze kube lula ukuphatha (isixazululo se-Multi-Pod sisebenzisa isixhumi esibonakalayo sokuphatha esisodwa, i-Multi-Site izoba nezindawo ezimbili zokusebenzelana, noma izodinga i-Multi-Site Orchestrator), futhi njengoba ingekho indawo. ukubhukwa kwezindawo kwakudingeka.
Ngokombono wezinsizakalo ezifudukayo ezivela kunethiwekhi ye-Legacy, inketho esobala kakhulu yakhethwa, kancane kancane idlulisela ama-VLAN ahambisana nezinsizakalo ezithile.
Ngokufuduka, i-EPG ehambisanayo (I-End-point-group) idalelwe i-VLAN ngayinye efekthri. Okokuqala, inethiwekhi yeluliwe phakathi kwenethiwekhi endala kanye nendwangu phezu kwe-L2, bese kuthi ngemva kokuba bonke ababungazi bathuthelwe, isango lihanjiswe kwendwangu, futhi i-EPG ihlanganyele nenethiwekhi ekhona nge-L3OUT, kuyilapho ukuxhumana phakathi kwe-L3OUT ne-EPG. kwachazwa kusetshenziswa izinkontileka. Umdwebo olinganiselwe:
Isampula yesakhiwo sezinqubomgomo eziningi zefekthri ye-ACI iboniswa esithombeni esingezansi. Konke ukusetha kusekelwe kuzinqubomgomo ezibekwe ngaphakathi kwezinye izinqubomgomo nokunye. Ekuqaleni kunzima kakhulu ukukuqonda, kodwa kancane kancane, njengoba umkhuba ubonisa, abaphathi benethiwekhi bajwayele lesi sakhiwo cishe inyanga, bese beqala ukuqonda ukuthi kulula kangakanani.
Ukuqhathanisa
Esixazululweni se-Cisco ACI, udinga ukuthenga imishini eyengeziwe (ukushintsha okuhlukile kokusebenzelana kwe-Inter-Pod nezilawuli ze-APIC), okwenza kubize kakhulu. Isixazululo sikaJuniper asizange sifune ukuthengwa kwabalawuli noma izesekeli; Bekungenzeka ukusebenzisa ingxenye yemishini ekhona yekhasimende.
Nansi i-EVPN VXLAN yokwakhiwa kwendwangu yezikhungo ezimbili zedatha yephrojekthi yesibili:
Nge-ACI uthola isixazululo esenziwe ngomumo - asikho isidingo sokucwilisa, asikho isidingo sokwandisa. Ngesikhathi sokujwayelana kokuqala kwekhasimende nefekthri, abekho abathuthukisi abadingekayo, abekho abantu abasekelayo abadingekayo ukuze uthole ikhodi kanye ne-automation. Kulula kakhulu ukuyisebenzisa; izilungiselelo eziningi zingenziwa ngokusebenzisa iwizadi, okungahlali kuhlangene, ikakhulukazi kubantu abajwayele umugqa womyalo. Kunoma ikuphi, kuthatha isikhathi ukwakha kabusha ingqondo kumathrekhi amasha, kuya kwezici zezilungiselelo ngezinqubomgomo nokusebenza ngezinqubomgomo eziningi ezifakiwe. Ngaphezu kwalokhu, kufiseleka kakhulu ukuba nesakhiwo esicacile sokuqamba izinqubomgomo nezinto. Uma noma iyiphi inkinga ivela ku-logic yesilawuli, ingaxazululwa kuphela ngosekelo lobuchwepheshe.
Ku-EVPN - console. Ukuhlupheka noma ukujabula. Isixhumi esibonakalayo esijwayelekile sonogada omdala. Yebo, kukhona ukucushwa okujwayelekile kanye nemihlahlandlela. Kuzomele ubheme mana. Imiklamo ehlukene, yonke into icacile futhi inemininingwane.
Ngokwemvelo, kuzo zombili izimo, lapho ufuduka, kungcono ukufuduka kuqala hhayi izinsizakalo ezibucayi kakhulu, isibonelo, izindawo zokuhlola, futhi ngemva kwalokho, ngemva kokubamba zonke izimbungulu, uqhubekele ekukhiqizeni. Futhi ungaculi ngoLwesihlanu ebusuku. Akufanele uthembele kumthengisi ukuthi konke kuzolunga, kuhlale kungcono ukukudlala ngokuphephile.
Ukhokha kakhulu i-ACI, nakuba i-Cisco okwamanje ikhuthaza lesi sixazululo futhi ivame ukunikeza izaphulelo ezinhle kuso, kodwa wonga ngokulungiswa. Ukuphathwa kanye nanoma yikuphi okuzenzakalelayo kwemboni ye-EVPN ngaphandle kwesilawuli kudinga ukutshalwa kwezimali kanye nezindleko ezivamile - ukuqapha, ukuzenzekelayo, ukuqaliswa kwezinsizakalo ezintsha. Ngesikhathi esifanayo, ukwethulwa kokuqala ku-ACI kuthatha amaphesenti angama-30-40 ubude. Lokhu kwenzeka ngoba kuthatha isikhathi eside ukudala isethi yonke yamaphrofayela adingekayo nezinqubomgomo ezizobe sezisetshenziswa. Kodwa njengoba inethiwekhi ikhula, inani lokucushwa okudingekayo liyancipha. Usebenzisa izinqubomgomo ezidalwe ngaphambilini, amaphrofayili, izinto. Ungakwazi ukumisa ngokuguquguqukayo ukuhlukaniswa nokuphepha, uphathe izinkontileka ezimaphakathi ezinomthwalo wokuvumela ukusebenzisana okuthile phakathi kwama-EPG - inani lomsebenzi lehla kakhulu.
Ku-EVPN, udinga ukulungisa idivayisi ngayinye efekthri, amathuba okuba namaphutha makhulu.
Ngenkathi i-ACI yayihamba kancane ukusebenzisa, i-EVPN ithathe cishe isikhathi esiphindwe kabili ukulungisa iphutha. Uma esimweni se-Cisco ungahlala ubiza unjiniyela wokusekela futhi ubuze mayelana nenethiwekhi iyonke (ngoba ihlanganiswe njengesixazululo), bese usuka kuJuniper Networks uthenga i-hardware kuphela, futhi yilokho okuhlanganisiwe. Ingabe amaphakheji ashiye idivayisi? Hhayi-ke, ke izinkinga zakho. Kodwa ungavula umbuzo mayelana nokukhetha kwesixazululo noma ukwakhiwa kwenethiwekhi - bese-ke bazokweluleka ukuthi uthenge isevisi yochwepheshe, ngemali eyengeziwe.
Ukusekelwa kwe-ACI kuhle kakhulu, ngoba kuhlukene: iqembu elihlukile lihlezi kulokhu. Kukhona nongoti abakhuluma isiRashiya. Umhlahlandlela unemininingwane, izixazululo zinqunywa kusengaphambili. Bayabheka futhi beluleka. Baqinisekisa ngokushesha ukuklama, okuvame ukubalulekile. I-Juniper Networks yenza into efanayo, kodwa ihamba kancane (besinalokhu, manje kufanele kube ngcono ngokusho kwamahemuhemu), okuphoqa ukuthi wenze yonke into ngokwakho lapho unjiniyela wesisombululo angaluleka khona.
I-Cisco ACI isekela ukuhlanganiswa nezinhlelo ze-virtualization kanye neziqukathi (VMware, Kubernetes, Hyper-V) kanye nokuphathwa okumaphakathi. Itholakala ngezinsizakalo zenethiwekhi nezokuphepha - ukulinganisa, izindonga zomlilo, i-WAF, i-IPS, njll... Ukuhlukaniswa okuhle okuncane ngaphandle kwebhokisi. Esixazululweni sesibili, ukuhlanganiswa nezinsizakalo zenethiwekhi kuwumoya, futhi kungcono ukuxoxa ngezinkundla kusengaphambili nalabo abenze lokhu.
Umphumela
Ngecala ngalinye elithile, kuyadingeka ukukhetha isisombululo, hhayi kuphela ngokususelwa kuzindleko zemishini, kodwa kuyadingeka futhi ukubheka ezinye izindleko zokusebenza kanye nezinkinga eziyinhloko ikhasimende elibhekene nazo njengamanje, nokuthi yiziphi izinhlelo lapho. ezokuthuthukisa ingqalasizinda ye-IT.
I-ACI, ngenxa yemishini eyengeziwe, yayibiza kakhulu, kodwa isixazululo senziwe ngomumo ngaphandle kwesidingo sokuqedela okwengeziwe; isisombululo sesibili siyinkimbinkimbi futhi siyabiza ngokusebenza, kodwa ishibhile.
Uma ufuna ukuxoxa ngokuthi kungabiza malini ukusebenzisa indwangu yenethiwekhi kubathengisi abahlukene, futhi hlobo luni lwezakhiwo oludingekayo, ungahlangana futhi uxoxe. Sizokweluleka mahhala kuze kube yilapho uthola umdwebo onzima wezakhiwo (ongakwazi ukubala ngawo amabhajethi), incazelo eningiliziwe, vele, isivele ikhokhiwe.
UVladimir Klepche, amanethiwekhi ezinkampani.
Source: www.habr.com