Uma ubheka ukulungiselelwa kwanoma iyiphi i-firewall, cishe sizobona ishidi elinenqwaba yamakheli e-IP, izimbobo, izivumelwano nama-subnet. Lena yindlela izinqubomgomo zokuphepha zenethiwekhi zokufinyelela komsebenzisi kuzisetshenziswa zenziwa kanjani ngokwejwayelekile. Ekuqaleni bazama ukugcina ukuhleleka ekulungiseni, kodwa-ke abasebenzi baqala ukuhamba besuka emnyangweni baye komunye, amaseva aphindaphindeka futhi ashintshe izindima zawo, ukufinyelela kwemiklamo ehlukene kubonakala lapho ngokuvamile engavunyelwe khona, futhi amakhulu ezindlela zezimbuzi ezingaziwa ziyavela.
Eduze kweminye imithetho, uma unenhlanhla, kukhona ukuphawula "UVasya ungicele ukuba ngenze lokhu" noma "Lena yiphaseji eya ku-DMZ." Umlawuli wenethiwekhi uyayeka, futhi yonke into iba sobala ngokuphelele. Khona-ke othile wanquma ukuhlanza ukulungiswa kwe-Vasya, futhi i-SAP yaphahlazeka, ngoba u-Vasya wake wacela lokhu kufinyelela ukuze aqhube i-SAP yokulwa.
Namuhla ngizokhuluma ngesixazululo se-VMware NSX, esiza ukusebenzisa ngokunembile izinqubomgomo zokuxhumana nezokuphepha ngaphandle kokudideka kuma-firewall configs. Ngizokukhombisa ukuthi yiziphi izici ezintsha ezivelile uma ziqhathaniswa nalokhu i-VMware ebinayo ngaphambilini kule ngxenye.
I-VMWare NSX iyinkundla ye-virtualization kanye nezokuphepha yezinsizakalo zenethiwekhi. I-NSX ixazulula izinkinga zomzila, ukushintsha, ukulinganisa ukulayisha, i-firewall futhi ingenza ezinye izinto eziningi ezithakazelisayo.
I-NSX ilandela umkhiqizo we-VMware we-vCloud Networking and Security (vCNS) kanye ne-NVP ye-Nicira etholiwe.
Ukusuka ku-vCNS kuya ku-NSX
Ngaphambilini, iklayenti belinomshini ohlukile we-vCNS vShield Edge efwini elakhiwe ku-VMware vCloud. Isebenze njengesango lomngcele, lapho kwakungenzeka khona ukulungisa imisebenzi eminingi yenethiwekhi: i-NAT, i-DHCP, i-Firewall, i-VPN, ibhalansi yokulayisha, njll. I-Firewall ne-NAT. Ngaphakathi kwenethiwekhi, imishini ebonakalayo yayixhumana ngokukhululekile ngaphakathi kwama-subnet. Uma ufuna ngempela ukuhlukanisa futhi unqobe ithrafikhi, ungenza inethiwekhi ehlukile yezingxenye ngazinye zezinhlelo zokusebenza (imishini ehlukile ebonakalayo) futhi usethe imithetho efanele yokusebenzisana kwenethiwekhi yabo ku-firewall. Kodwa lokhu kude, kunzima futhi akuthakazelisi, ikakhulukazi uma unemishini embalwa ebonakalayo.
Ku-NSX, i-VMware isebenzise umqondo wokuhlukaniswa okuncane kusetshenziswa i-firewall esabalalisiwe eyakhelwe ku-hypervisor kernel. Icacisa izinqubomgomo zokuphepha nokusebenzisana kwenethiwekhi hhayi kumakheli e-IP kanye ne-MAC kuphela, kodwa nakwezinye izinto: imishini ebonakalayo, izinhlelo zokusebenza. Uma i-NSX isetshenziswa ngaphakathi kwenhlangano, lezi zinto zingaba umsebenzisi noma iqembu labasebenzisi kusukela ku-Active Directory. Into ngayinye enjalo iphenduka i-microsegment ku-loop yayo yokuphepha, ku-subnet edingekayo, ene-DMZ yayo ethokomele :).
Ngaphambilini, bekunepherimitha eyodwa kuphela yokuphepha yeqoqo lonke lezinsiza, evikelwe ukushintshwa konqenqema, kodwa nge-NSX ungavikela umshini ohlukile we-virtual ekusebenzisaneni okungadingekile, ngisho nangaphakathi kwenethiwekhi efanayo.
Izinqubomgomo zokuphepha nenethiwekhi ziyavumelana uma ibhizinisi lithuthela kunethiwekhi ehlukile. Isibonelo, uma sihambisa umshini onesizinda sedatha kwenye ingxenye yenethiwekhi noma ngisho kwesinye isikhungo sedatha ebonakalayo exhunyiwe, imithetho ebhalelwe lo mshini we-virtual izoqhubeka nokusebenza kungakhathaliseki indawo yawo entsha. Iseva yohlelo lokusebenza isazokwazi ukuxhumana nesizindalwazi.
Isango elisemaphethelweni ngokwalo, i-vCNS vShield Edge, lithathelwe indawo yi-NSX Edge. Inazo zonke izici zobuhle ze-Edge endala, kanye nezici ezimbalwa eziwusizo ezintsha. Sizoqhubeka sikhulume ngazo.
Yini entsha nge-NSX Edge?
Ukusebenza kwe-NSX Edge kuncike
I-Firewall. Ungakhetha amakheli e-IP, amanethiwekhi, izixhumanisi zesango, nemishini ebonakalayo njengezinto okuzosetshenziswa kuzo imithetho.
I-DHCP. Ngaphezu kokumisa ububanzi bamakheli e-IP azokhishwa ngokuzenzakalela emishinini ebonakalayo kule nethiwekhi, i-NSX Edge manje inemisebenzi elandelayo: Isibopho ΠΈ Dlulisa amehlo.
Kuthebhu Izibopho Ungakwazi ukuhlanganisa ikheli le-MAC lomshini we-virtual ekhelini le-IP uma udinga ikheli le-IP ukuze lingashintshi. Into esemqoka ukuthi leli kheli le-IP alifakiwe ku-DHCP Pool.
Kuthebhu Dlulisa amehlo ukudluliselwa kwemilayezo ye-DHCP kulungiselelwe kumaseva e-DHCP atholakala ngaphandle kwenhlangano yakho kuMqondisi we-vCloud, okuhlanganisa amaseva e-DHCP engqalasizinda ebonakalayo.
Umzila. I-vShield Edge ingamisa kuphela umzila omile. Umzila oguquguqukayo osekelwa izivumelwano ze-OSPF ne-BGP zivele lapha. Izilungiselelo ze-ECMP (Active-active) nazo seziyatholakala, okusho ukuthi i-failover esebenzayo kumarutha aphathekayo.
Isetha i-OSPF
Isetha i-BGP
Enye into entsha ukusetha ukudluliswa kwemizila phakathi kwamaphrothokholi ahlukene,
ukwabiwa kabusha komzila.
I-L4/L7 Isilinganisi Sokulayisha. I-X-Forwarded-For yethulwe ngesihloko se-HTTPs. Wonke umuntu wakhala ngaphandle kwakhe. Isibonelo, unewebhusayithi oyibhalansile. Ngaphandle kokudlulisela phambili lesi sihloko, yonke into iyasebenza, kodwa izibalo zeseva yewebhu awubonanga i-IP yezivakashi, kodwa i-IP ye-balancer. Manje konke sekulungile.
Futhi kuthebhu Yemithetho Yohlelo Lokusebenza ungakwazi manje ukwengeza imibhalo ezolawula ngokuqondile ukulinganisa kwethrafikhi.
I-VPN. Ngaphezu kwe-IPSec VPN, i-NSX Edge isekela:
- I-L2 VPN, ekuvumela ukuthi welule amanethiwekhi phakathi kwamasayithi ahlakazekile ngokwendawo. I-VPN enjalo iyadingeka, isibonelo, ukuze lapho uthuthela kwenye isayithi, umshini obonakalayo uhlala ku-subnet efanayo futhi ugcina ikheli layo le-IP.
- I-SSL VPN Plus, evumela abasebenzisi ukuthi baxhume bekude kunethiwekhi yebhizinisi. Ezingeni le-vSphere bekunomsebenzi onjalo, kodwa kuMqondisi we-vCloud lokhu kuyintsha.
Izitifiketi ze-SSL. Izitifiketi manje zingafakwa ku-NSX Edge. Lokhu futhi kuza embuzweni wokuthi ubani obedinga obhalansi ngaphandle kwesitifiketi se-https.
Izinto zokuqoqa. Kule thebhu, ucacisa amaqembu ezinto okuzosetshenziswa kuzo imithetho ethile yokusebenzisana kwenethiwekhi, isibonelo, imithetho ye-firewall.
Lezi zinto zingaba amakheli e-IP kanye ne-MAC.
Kukhona nohlu lwezinsizakalo (inhlanganisela ye-protocol-port) nezinhlelo zokusebenza ezingasetshenziswa lapho kwakhiwa imithetho yokuvikela umlilo. Umphathi wephothali ye-vCD kuphela ongangeza amasevisi amasha nezinhlelo zokusebenza.
Izibalo. Izibalo zokuxhuma: ithrafikhi edlula esangweni, i-firewall kanye ne-balancer.
Isimo nezibalo zomhubhe ngamunye we-IPSEC VPN kanye ne-L2 VPN.
Ukugawula. Kuthebhu Yezilungiselelo Zomphetho, ungasetha iseva ukuze uqophe izingodo. Ukungena ngemvume kusebenzela i-DNAT/SNAT, i-DHCP, i-Firewall, umzila, ibhalansi, i-IPsec VPN, i-SSL VPN Plus.
Izinhlobo ezilandelayo zezaziso ziyatholakala entweni/isevisi ngayinye:
β Susa iphutha
βIsexwayiso
βKubalulekile
- Iphutha
βIsexwayiso
β Qaphela
- Ulwazi
NSX Edge Ubukhulu
Kuye ngemisebenzi exazululwayo kanye nevolumu ye-VMware
Idatha ye-NSX
(Kucinene)
Idatha ye-NSX
(Enkulu)
Idatha ye-NSX
(I-Quad-Large)
Idatha ye-NSX
(X-Enkulu)
I-vCPU
1
2
4
6
Memory
512MB
1GB
1GB
8GB
disk
512MB
512MB
512MB
4.5GB + 4GB
Ukuqokwa
Eyodwa
isicelo, test
isikhungo sedatha
Okuncane
noma isilinganiso
isikhungo sedatha
Kulayishiwe
i-firewall
Ukulinganisa
ilayisha ezingeni L7
Ngezansi kwethebula kukhona amamethrikhi okusebenza ezinsizakalo zenethiwekhi kuye ngosayizi we-NSX Edge.
Idatha ye-NSX
(Kucinene)
Idatha ye-NSX
(Enkulu)
Idatha ye-NSX
(I-Quad-Large)
Idatha ye-NSX
(X-Enkulu)
interface
10
10
10
10
I-Sub Interfaces (I-Trunk)
200
200
200
200
Imithetho ye-NAT
2,048
4,096
4,096
8,192
Okufakiwe kwe-ARP
Kuze Kubhale Phezu
1,024
2,048
2,048
2,048
Imithetho ye-FW
2000
2000
2000
2000
Ukusebenza kwe-FW
3Gbps
9.7Gbps
9.7Gbps
9.7Gbps
Amachibi e-DHCP
20,000
20,000
20,000
20,000
Izindlela ze-ECMP
8
8
8
8
Imizila Emile
2,048
2,048
2,048
2,048
LB Amachibi
64
64
64
1,024
Amaseva we-LB Virtual
64
64
64
1,024
Iseva ye-LB/Iphuli
32
32
32
32
Ukuhlolwa Kwezempilo kwe-LB
320
320
320
3,072
LB Imithetho Yokusebenzisa
4,096
4,096
4,096
4,096
L2VPN Clients Hub to Spoke
5
5
5
5
Amanethiwekhi e-L2VPN Iklayenti/Iseva ngayinye
200
200
200
200
IPSec Tunnels
512
1,600
4,096
6,000
Imigudu ye-SSLVPN
50
100
100
1,000
Amanethiwekhi Ayimfihlo we-SSLVPN
16
16
16
16
Izikhathi Ezifanayo
64,000
1,000,000
1,000,000
1,000,000
Amaseshini/Okwesibili
8,000
50,000
50,000
50,000
Ummeleli we-LB Throughput L7)
2.2Gbps
2.2Gbps
3Gbps
Imodi ye-LB Throughput L4)
6Gbps
6Gbps
6Gbps
I-LB Connections/s (Ummeleli we-L7)
46,000
50,000
50,000
I-LB Concurrent Connections (L7 Proxy)
8,000
60,000
60,000
I-LB Connections/s (Imodi ye-L4)
50,000
50,000
50,000
I-LB Concurrent Connections (Imodi ye-L4)
600,000
1,000,000
1,000,000
Izindlela ze-BGP
20,000
50,000
250,000
250,000
BGP Omakhelwane
10
20
100
100
Imizila ye-BGP Iphinde Yasakazwa
Akukho Mkhawulo
Akukho Mkhawulo
Akukho Mkhawulo
Akukho Mkhawulo
Izindlela ze-OSPF
20,000
50,000
100,000
100,000
I-OSPF LSA Entries Max 750 Type-1
20,000
50,000
100,000
100,000
I-OSPF Adjacencies
10
20
40
40
Imizila ye-OSPF Iphinde Yasakazwa
2000
5000
20,000
20,000
Ingqikithi Yemizila
20,000
50,000
250,000
250,000
β
Ithebula libonisa ukuthi kuyanconywa ukuhlela ukulinganisa ku-NSX Edge ngezimo ezikhiqizayo kuphela kusukela kusayizi Omkhulu.
Yilokho kuphela enginakho okwanamuhla. Ezingxenyeni ezilandelayo ngizodlula ngokuningiliziwe ukuthi ngingayimisa kanjani insizakalo ngayinye yenethiwekhi ye-NSX Edge.
Source: www.habr.com