Ngosizo lwalesi siqeshana somlingo weskripthi se-Cisco ACI, ungakwazi ukumisa ngokushesha inethiwekhi.
Imboni yenethiwekhi yesikhungo sedatha ye-Cisco ACI ikhona iminyaka emihlanu, kodwa u-HabrΓ© akazange asho lutho ngakho, ngakho nganquma ukuyilungisa kancane. Ngizokutshela ngokwami ββisipiliyoni ukuthi iyini, isetshenziswa ini nokuthi inereki kuphi.
Liyini futhi livelaphi?
Ngesikhathi kumenyezelwa i-ACI (Infrastructure Centric Infrastructure) ngo-2013, izimbangi zaziqhubekela phambili ezindleleni zendabuko zamanethiwekhi esikhungo sedatha zisuka ezinhlangothini ezintathu ngesikhathi esisodwa.
Ngakolunye uhlangothi, "isizukulwane sokuqala" izixazululo ze-SDN ezisekelwe ku-OpenFlow zithembise ukwenza amanethiwekhi abe nezimo futhi ashibhile ngesikhathi esifanayo. Umqondo bekuwukuhambisa ukuthathwa kwesinqumo ngokwesiko kwenziwa yisoftware yokushintsha yobunikazi kusilawuli esimaphakathi.
Lesi silawuli sizoba nombono owodwa wakho konke okwenzekayo futhi, ngokusekelwe kulokhu, sizohlela ihadiwe yawo wonke amaswishi ezingeni lemithetho yokucubungula ukugeleza okuthile.
Ngakolunye uhlangothi, izixazululo zenethiwekhi ezimbondelanayo zenze kwaba nokwenzeka ukuqalisa ukuxhumeka okudingekayo nezinqubomgomo zokuphepha ngaphandle kwanoma yiziphi izinguquko kunethiwekhi ebonakalayo nhlobo, ukwakha imigudu yesofthiwe phakathi kwabasingathi ababonisiwe. Isibonelo esaziwa kakhulu sale ndlela kwakuyi-Nicira, ngaleso sikhathi eyayivele itholwe yi-VMWare ngamaRandi ayizigidi eziyizinkulungwane ezingu-1,26 futhi yabangela i-VMWare NSX yamanje. Okunye ukugqama kwesimo kwengezwe yiqiniso lokuthi abasunguli be-Nicira babengabantu abafanayo ababemi ekuqaleni kwe-OpenFlow, manje bethi ukuze kwakhiwe imboni yedatha yedatha. .
Futhi ekugcineni, ukushintsha ama-chips atholakalayo emakethe evulekile (okubizwa ngokuthi i-silicon yomthengisi) sekufinyelele esigabeni sokuvuthwa lapho abe usongo lwangempela kubakhiqizi bokushintsha bendabuko. Uma ngaphambili umthengisi ngamunye azenzele ama-chips okushintshwa kwawo, ngokuhamba kwesikhathi, ama-chips avela kubakhiqizi bezinkampani zangaphandle, ikakhulukazi abavela ku-Broadcom, aqala ukunciphisa ibanga ngama-chips omthengisi ngokwemisebenzi, futhi wawadlula ngokwezinga lentengo / ukusebenza. Ngakho-ke, abaningi bakholelwa ukuthi izinsuku zokushintshwa kwama-chips omklamo wabo zibaliwe.
I-ACI isiphenduke "impendulo ye-asymmetric" ye-Cisco (ngokunembile, inkampani yayo ye-Insieme, eyasungulwa ngabasebenzi bayo bangaphambili) kukho konke okungenhla.
Uyini umehluko nge-OpenFlow?
Mayelana nokusatshalaliswa kwemisebenzi, i-ACI empeleni iphambene ne-OpenFlow.
Ekwakhiweni kwe-OpenFlow, isilawuli sinesibopho sokubhala imithetho enemininingwane (ukugeleza)
ku-hardware yazo zonke izinguquko, okungukuthi, kunethiwekhi enkulu, kungase kube nesibopho sokugcina futhi, okubaluleke kakhulu, ukushintsha amashumi ezigidi zamarekhodi ngamakhulu amaphuzu kunethiwekhi, ngakho ukusebenza kwawo nokuthembeka kube ibhodlela ku- ukuqaliswa okukhulu.
I-ACI isebenzisa indlela yokuhlehla: yiqiniso, kukhona nesilawuli, kodwa amaswishi athola izinqubomgomo zokumemezela ezisezingeni eliphezulu ezivela kuso, futhi iswishi ngokwayo yenza ukunikezwa kwayo ngemininingwane yezilungiselelo ezithile kuhadiwe. Isilawuli singaqaliswa kabusha noma sicishwe ngokuphelele, futhi akukho okubi okuzokwenzeka kunethiwekhi, ngaphandle, yiqiniso, ukuntuleka kokulawula ngalesi sikhathi. Kuyathakazelisa ukuthi kunezimo ku-ACI lapho i-OpenFlow isasetshenziswa, kodwa endaweni ngaphakathi komsingathi wohlelo lwe-Open vSwitch.
I-ACI yakhiwe ngokuphelele kwezokuthutha ezimbondelana ezisekelwe ku-VXLAN, kodwa ihlanganisa ezokuthutha ze-IP eziyisisekelo njengengxenye yesixazululo esisodwa. I-Cisco ibize leli gama ngokuthi "imbondela ehlanganisiwe". Njengendawo yokunqanyulwa kokumbondelana ku-ACI, ezimweni eziningi, ukushintsha kwefekthri kusetshenziswa (kwenza lokhu ngesivinini sesixhumanisi). Ababungazi abadingeki ukuthi bazi lutho mayelana nefekthri, i-encapsulation, njll., Nokho, kwezinye izimo (isibonelo, ukuxhuma abasingathi be-OpenStack), ithrafikhi ye-VXLAN ingalethwa kubo.
Izimbondela zisetshenziswa ku-ACI hhayi kuphela ukunikeza ukuxhumana okuguquguqukayo ngenethiwekhi yezokuthutha, kodwa futhi nokudlulisa ulwazi lwe-metainformation (isetshenziswa, isibonelo, ukusebenzisa izinqubomgomo zokuphepha).
Ama-chips avela ku-Broadcom ngaphambilini ayesetshenziswa yi-Cisco ekushintsheni kochungechunge lwe-Nexus 3000. Emndenini we-Nexus 9000, ekhishwe ngokukhethekile ukuze isekele i-ACI, imodeli ye-hybrid yaqaliswa, eyayibizwa ngokuthi uMthengisi +. Iswishi yasebenzisa kanyekanye i-chip entsha ye-Broadcom Trident 2 kanye ne-chip ehambisanayo eyakhiwe yi-Cisco, esebenzisa wonke umlingo we-ACI. Ngokusobala, lokhu kwenza kube nokwenzeka ukusheshisa ukukhululwa komkhiqizo futhi kuncishiswe ithegi yentengo yokushintsha ibe sezingeni eliseduze namamodeli ngokumane kusekelwe ku-Trident 2. Le ndlela yayanele eminyakeni emibili noma emithathu yokuqala yokulethwa kwe-ACI. Phakathi nalesi sikhathi, i-Cisco ithuthukise futhi yethula isizukulwane esilandelayo i-Nexus 9000 kuma-chips ayo anokusebenza okwengeziwe nesethi yesici, kodwa ngezinga lentengo elifanayo. Imininingwane yangaphandle mayelana nokusebenzisana efekthri igcinwe ngokuphelele. Ngesikhathi esifanayo, ukugcwaliswa kwangaphakathi kushintshe ngokuphelele: into efana ne-refactoring, kodwa yensimbi.
Indlela I-Cisco ACI Architecture Isebenza ngayo
Esimweni esilula, i-ACI yakhelwe phezu kwe-topology yenethiwekhi ye-Klose, noma, njengoba bevame ukusho, i-Spine-Leaf. Ukushintsha kwezinga lomgogodla kungaba kusuka kokubili (noma kokukodwa, uma singenandaba nokubekezelela amaphutha) kuye kwayisithupha. Ngakho-ke, uma bebaningi, ukubekezelelana kwamaphutha aphezulu (ukunciphisa umkhawulokudonsa nokwethenjelwa uma kwenzeka ingozi noma ukugcinwa kwe-Spine eyodwa) kanye nokusebenza okuphelele. Konke ukuxhumana kwangaphandle kuya ekushintsheni kweleveli yeqabunga: lawa amaseva, kanye nokudokha ngamanethiwekhi angaphandle nge-L2 noma i-L3, kanye nezilawuli ezixhumayo ze-APIC. Ngokuvamile, nge-ACI, hhayi kuphela ukucushwa, kodwa futhi ukuqoqwa kwezibalo, ukuqapha ukwehluleka, njalonjalo - konke kwenziwa ngokusebenzisa isikhombimsebenzisi sabalawuli, okukhona okuthathu ekusetshenzisweni kobukhulu obujwayelekile.
Awudingi ukuxhuma ekushintsheni nge-console, ngisho nokuqala inethiwekhi: isilawuli ngokwaso sithola ukushintshwa futhi sihlanganise ifektri kubo, kuhlanganise nezilungiselelo zazo zonke izivumelwano zesevisi, ngakho-ke, ngendlela, kubaluleke kakhulu bhala phansi izinombolo ze-serial zamathuluzi afakwa ngesikhathi sokufakwa, ukuze kamuva ungaqageli ukuthi iyiphi iswishi okukuyo irack. Ukuze uxazulule inkinga, uma kunesidingo, ungaxhuma kumaswishi nge-SSH: akhiqiza kabusha imiyalo evamile ye-Cisco show ngokucophelela.
Ngaphakathi, ifektri isebenzisa ezokuthutha ze-IP, ngakho-ke asikho Isihlahla Esiyi-Spanning nezinye izinto ezesabekayo zesikhathi esidlule kuyo: zonke izixhumanisi zihilelekile, futhi ukuhlangana uma kwenzeka ukwehluleka kuyashesha kakhulu. Ithrafikhi esendwangu idluliselwa ngokusebenzisa imigudu esekelwe ku-VXLAN. Ngokunembile, i-Cisco ngokwayo ibiza i-iVXLAN encapsulation, futhi ihluke ku-VXLAN evamile ngokuthi izinkambu ezigciniwe kusihloko senethiwekhi zisetshenziselwa ukudlulisa ulwazi lwesevisi, ngokuyinhloko mayelana nobudlelwane bethrafikhi eqenjini le-EPG. Lokhu kukuvumela ukuthi usebenzise imithetho yokusebenzisana phakathi kwamaqembu emishini, usebenzisa izinombolo zabo ngendlela efanayo namakheli asetshenziswa ezinhlwini zokufinyelela ezijwayelekile.
Imigudu ivumela womabili amasegimenti e-L2 namasegimenti e-L3 (okungukuthi i-VRF) ukuthi anwetshwe ngokuthutha kwe-IP yangaphakathi. Kulokhu, isango elizenzakalelayo liyasatshalaliswa. Lokhu kusho ukuthi iswishi ngayinye inesibopho sokuhambisa ithrafikhi engena endwangu. Ngokuya nge-traffic flow logic, i-ACI ifana nendwangu ye-VXLAN/EVPN.
Uma kunjalo, uyini umehluko? Konke okunye!
Umehluko wokuqala ohlangana nawo ne-ACI yindlela amaseva axhunywe ngayo kunethiwekhi. Kumanethiwekhi omdabu, ukufakwa kwawo womabili amaseva aphathekayo nemishini ebonakalayo kuya kuma-VLAN, futhi konke okunye kudansa kusuka kuwo: ukuxhumana, ukuphepha, njll. Ku-ACI, kusetshenziswa idizayini i-Cisco ebiza i-EPG (i-End-point Group), okuvela kuyo. akukho ndawo yokubalekela. Kungakhathaliseki ukuthi kungenzeka yini ukuyifanisa ne-VLAN? Yebo, kodwa kulokhu kukhona ithuba lokulahlekelwa okuningi kwalokho okunikezwa yi-ACI.
Ngokuphathelene ne-EPG, yonke imithetho yokufinyelela yakhiwe, futhi ku-ACI, isimiso "sohlu olumhlophe" sisetshenziswa ngokuzenzakalelayo, okungukuthi, ithrafikhi kuphela evunyelwe, ukudlula okuvunyelwe ngokucacile. Okusho ukuthi, singakha amaqembu e-EPG "Ewebhu" kanye "ne-MySQL" futhi sichaze umthetho ovumela ukuxhumana phakathi kwawo kuphela ku-port 3306. Lokhu kuzosebenza ngaphandle kokuboshelwa kumakheli enethiwekhi ngisho nangaphakathi kwe-subnet efanayo!
Sinamakhasimende akhethe i-ACI ngokunembile ngenxa yalesi sici, njengoba sikuvumela ukuthi ukhawulele ukufinyelela phakathi kwamaseva (okungokoqobo noma ngokomzimba - akunandaba) ngaphandle kokuwahudula phakathi kwama-subnet, okusho ukuthi ngaphandle kokuthinta ikheli. Yebo, yebo, siyazi ukuthi akekho obeka amakheli e-IP ekucushweni kohlelo lokusebenza ngesandla, akunjalo?
Imithetho yethrafikhi ku-ACI ibizwa ngokuthi izinkontileka. Kunkontileka enjalo, iqembu elilodwa noma amaningi noma amaleveli kuhlelo lokusebenza olunezigaba eziningi uba umhlinzeki wesevisi (ake uthi, isevisi yesizindalwazi), abanye baba abathengi. Inkontileka ingamane idlule ithrafikhi, noma ingenza okuthile okukhohlisayo, isibonelo, iyiqondise ku-firewall noma ibhalansi, futhi iguqule inani le-QoS.
Amaseva angena kanjani kulawa maqembu? Uma lawa amaseva aphathekayo noma okuthile okufakwe kunethiwekhi ekhona lapho sidale khona isiqu se-VLAN, khona-ke ukuze uwabeke ku-EPG, uzodinga ukukhomba imbobo yokushintsha kanye ne-VLAN esetshenziswe kuyo. Njengoba ubona, ama-VLAN avela lapho ungeke ukwazi ukwenza ngaphandle kwawo.
Uma amaseva ayimishini ebonakalayo, khona-ke kwanele ukubhekisela endaweni exhunyiwe ye-virtualization, bese konke kuzokwenzeka ngokwayo: iqembu lechweba lizokwakhiwa (ngokwemigomo ye-VMWare) ukuxhuma i-VM, ama-VLAN adingekayo noma ama-VXLAN azokwenza. zabelwe, zizobhaliswa kuma-switch port adingekayo, njll. Ngakho-ke, nakuba i-ACI yakhelwe eduze kwenethiwekhi ebonakalayo, ukuxhumeka kwamaseva abonakalayo kubukeka kulula kakhulu kunokwenyama. I-ACI isivele inokuxhumana okwakhelwe ngaphakathi ne-VMWare ne-MS Hyper-V, kanye nokusekelwa kwe-OpenStack ne-RedHat Virtualization. Kusukela esikhathini esithile kuqhubeke, ukusekelwa okwakhelwe ngaphakathi kwamapulatifomu esiqukathi sekuphinde kwavela: I-Kubernetes, i-OpenShift, i-Cloud Foundry, kuyilapho ithinta kokubili ukusetshenziswa kwezinqubomgomo nokuqapha, okungukuthi, umlawuli wenethiwekhi angabona ngokushesha ukuthi yimaphi ama-host asebenza kuwo futhi yimaphi amaqembu abawela kuwo.
Ngaphezu kokufakwa eqenjini elithile lechweba, amaseva abonakalayo anezakhiwo ezengeziwe: igama, izimfanelo, njll., ezingasetshenziswa njengemibandela yokuzidlulisela kwelinye iqembu, yithi, lapho i-VM iqanjwa kabusha noma umaka owengeziwe uvela yona. I-Cisco ibiza la maqembu okuhlukaniswa okuncane, nakuba, ngokuvamile, idizayini ngokwayo enekhono lokudala izingxenye eziningi zokuphepha ngendlela yama-EPG ku-subnet efanayo futhi i-micro-segmentation. Hhayi-ke, umthengisi wazi kangcono.
Ama-EPG ngokwawo ayizakhiwo ezinengqondo, aziboshelwe kumaswishi athile, amaseva, njll., ngakho-ke ungenza izinto ngawo futhi wakhe ngokususelwe kuzo (izinhlelo zokusebenza nabaqashi) okunzima ukuzenza kumanethiwekhi ajwayelekile, njengokuhlanganisa. Ngenxa yalokho, ake sithi kulula kakhulu ukuhlanganisa indawo yokukhiqiza ukuze uthole indawo yokuhlola eqinisekisiwe ukuthi iyafana nendawo yokukhiqiza. Ungakwenza mathupha, kodwa kungcono (futhi kulula) nge-API.
Ngokuvamile, i-logic yokulawula ku-ACI ayifani nhlobo nalokho ojwayele ukuhlangana nakho
kumanethiwekhi endabuko avela ku-Cisco efanayo: isixhumi esibonakalayo sesofthiwe siyinhloko, futhi i-GUI noma i-CLI ingeyesibili, njengoba isebenza nge-API efanayo. Ngakho-ke, cishe wonke umuntu ohilelekile ku-ACI, ngemva kwesikhashana, uqala ukuzulazula imodeli yento esetshenziselwa ukuphatha futhi enze okuzenzakalelayo okuthile ukuze kuhambisane nezidingo zabo. Indlela elula yokwenza lokhu ivela kuPython: kukhona amathuluzi alungele enzelwe wona.
Ireki ethenjisiwe
Inkinga enkulu ukuthi izinto eziningi ku-ACI zenziwa ngendlela ehlukile. Ukuze uqale ukusebenza nayo ngokujwayelekile, udinga ukuziqeqesha kabusha. Lokhu kuyiqiniso ikakhulukazi emaqenjini okusebenza kwenethiwekhi kumakhasimende amakhulu, lapho onjiniyela bebelokhu "bechaza ama-VLAN" iminyaka ngesicelo. Iqiniso lokuthi manje ama-VLAN awasewona ama-VLAN, futhi awudingi ukudala ama-VLAN ngesandla ukuze ubeke amanethiwekhi amasha kuma-host host virtual, ashaya ngokuphelele uphahla lwamanethiwekhi endabuko futhi abenze babambelele ezindleleni ezijwayelekile. Kumele kuqashelwe ukuthi i-Cisco izamile ukunandisa iphilisi kancane futhi yengeza i-CLI "efana ne-NXOS" kusilawuli, esikuvumela ukuthi wenze ukucushwa kusuka kusixhumi esibonakalayo esifana nokushintsha kwendabuko. Kodwa noma kunjalo, ukuze uqale ukusebenzisa i-ACI ngokujwayelekile, kufanele uqonde ukuthi isebenza kanjani.
Ngokuya ngentengo, ezilinganisweni ezinkulu neziphakathi, amanethiwekhi e-ACI awahlukani ngempela namanethiwekhi endabuko emishini ye-Cisco, ngoba amaswishi afanayo asetshenziselwa ukwakha (i-Nexus 9000 ingasebenza ku-ACI nangemodi yendabuko futhi manje isiyinhloko enkulu. "ihhashi lomsebenzi" lamaphrojekthi amasha esikhungo sedatha). Kodwa ezikhungweni zedatha zokushintshwa okubili, ukuba khona kwabalawuli kanye nezakhiwo ze-Spine-Leaf, yiqiniso, kuzenza bazizwe. Muva nje, kuvele ifektri ye-Mini ACI, lapho abalawuli ababili kwabathathu bashintshwa yimishini ebonakalayo. Lokhu kunciphisa umehluko ezindlekweni, kodwa kusekhona. Ngakho-ke kukhasimende, ukukhetha kunqunywa ukuthi unesithakazelo esingakanani kuzici zokuphepha, ukuhlanganiswa ne-virtualization, iphuzu elilodwa lokulawula, njalonjalo.
Source: www.habr.com