Umfanekiso Tamper Ukhuseleko: Ukusayinwa kwe-RPM kunye nokuqinisekisa utyikityo
kuzo zonke iipakethe zeRPM kwi-ISO kunye nokuphucula imifanekiso.
Ukusayinwa kweRPM: Zonke iipakethe zeRPM kwiCisco Enterprise NFVIS ISO
kunye nemifanekiso yokuphucula isayinwe ukuqinisekisa ingqibelelo ye-cryptographic kunye
ubunyani.

RPM Utyikityo uQinisekiso: Utyikityo zonke iipakethe RPM yi
iqinisekisiwe phambi kokufaka okanye ukuphuculwa.
Umfanekiso woQinisekiso lweMfezeko: Hash yomfanekiso weCisco NFVIS ISO
kwaye uphuculo lomfanekiso ushicilelwe ukuqinisekisa ingqibelelo yokongezelelweyo
non-RPM files.

I-ENCS Secure Boot: Inxalenye yomgangatho we-UEFI, iqinisekisa ukuba
iibhutsi zesixhobo usebenzisa isoftware ethembekileyo kuphela.
Khusela ukuchongwa kweSixhobo esisodwa (SUDI): Ibonelela ngesixhobo
ngesazisi esingaguqukiyo ukuqinisekisa ubunyani bayo.

Ukuhlohla

Ukufakela isoftware yeNFVIS, landela la manyathelo:

Qinisekisa ukuba umfanekiso wesoftware awukhange ube tampyenziwe nge
Ukuqinisekisa utyikityo kunye nokuthembeka kwayo.

Ukuba usebenzisa iCisco Enterprise NFVIS 3.7.1 kwaye kamva, qinisekisa ukuba
ukuqinisekiswa kotyikityo kudlula ngexesha lofakelo. Ukuba iyasilela,
ukufakela kuya kucinywa.
Ukuba uphuculo ukusuka Cisco Enterprise NFVIS 3.6.x ukuba Khupha
3.7.1, iisiginitsha zeRPM ziyaqinisekiswa ngethuba lokuphucula. Ukuba i
uqinisekiso lomsayino aluphumeleli, impazamo ifakiwe kodwa uphuculo lulo
igqityiwe.

Ukuba uphuculo ukusuka kuNkupho 3.7.1 ukuya kukukhutshwa kamva, i-RPM
iisignesha ziqinisekisiwe xa umfanekiso wokuphucula ubhalisiwe. Ukuba
uqinisekiso lomsayino aluphumeleli, uphuculo luyacinywa.
Qinisekisa ihashi yomfanekiso weCisco NFVIS ISO okanye uphucule umfanekiso
usebenzisa umyalelo: /usr/bin/sha512sum <image_filepath>. Thelekisa ihashi nepapashiweyo
ngokukhawuleza ukuqinisekisa ingqibelelo.

Khusela i-Boot

Khusela ukuqalisa licandelo elifumanekayo kwi-ENCS (ivaliwe ngokungagqibekanga)
eqinisekisa isixhobo kuphela iibhutsi usebenzisa isoftware ethembekileyo. Ukuya
vula i-boot ekhuselekileyo:

Jonga kuxwebhu oluKhuselekileyo kwi-Boot ye-Host ngokungaphezulu
ulwazi.

Landela imiyalelo enikeziweyo ukuze uvule ukhuseleko lokuqalisa kwindawo yakho
isixhobo.

Khusela uchongo lwesiXhobo esiSahlukileyo (SUDI)

I-SUDI ibonelela nge-NFVIS ngesazisi esingaguqukiyo, iqinisekisa oko
yimveliso yeCisco yokwenyani kwaye iqinisekisa ukuqatshelwa kwayo kwi
inkqubo yoluhlu lwabathengi.

FAQ

Umbuzo: Yintoni i-NFVIS?

A: I-NFVIS imele i-Network Function Virtualization
I-Software yeziseko zophuhliso. Liqonga lesoftware elisetyenziselwa ukuhambisa
kwaye ulawule imisebenzi yenethiwekhi enenyani.

Q: Ndingakuqinisekisa njani ukuthembeka komfanekiso we-NFVIS ISO okanye
phucula umfanekiso?

A: Ukuqinisekisa ingqibelelo, sebenzisa umyalelo
/usr/bin/sha512sum <image_filepath> kwaye uthelekise
ihashi eneheshi epapashiweyo enikezwe nguCisco.

Umbuzo: Ngaba ukuqalisa okukhuselekileyo kwenziwe ngokungagqibekanga kwi-ENCS?

A: Hayi, i-boot ekhuselekileyo ivaliwe ngokungagqibekanga kwi-ENCS. Yi
Kuyacetyiswa ukuba uvule ukuqala ngokukhuselekileyo kukhuseleko olomeleziweyo.

Q: Yintoni injongo yeSUDI kwiNFVIS?

A: I-SUDI ibonelela nge-NFVIS ngesazisi esisodwa nesingenakuguqulwa,
ukuqinisekisa ukunyaniseka kwayo njengemveliso yeCisco kunye nokuququzelela kwayo
ukuqatshelwa kwinkqubo yoluhlu lwabathengi.

View Fullscreen

Iingqwalasela zoKhuseleko
Esi sahluko sichaza iimpawu zokhuseleko kunye noqwalaselo kwi-NFVIS. Inika umgangatho ophezulu ngaphezuluview yamacandelo anxulumene nokhuseleko kwi-NFVIS ukucwangcisa iqhinga lokhuseleko lokusasazwa okuthe ngqo kuwe. Ikwanayo neengcebiso malunga neendlela ezingcono zokhuseleko zokunyanzelisa izinto eziphambili zokhuseleko lwenethiwekhi. Isoftware ye-NFVIS inokhuseleko olungiswe ekunene ukusuka kufakelo kuyo yonke imigangatho yesoftware. Izahluko ezilandelayo zijolise kule miba yokhuseleko olungaphandle kwebhokisi njengolawulo lweziqinisekiso, imfezeko kunye t.ampukhuseleko lwe-er, ulawulo lweseshoni, ukufikelela kwisixhobo esikhuselekileyo kunye nokunye.

· Ufakelo, kwiphepha lesi-2 · Khusela ukuchongwa kweSixhobo esahlukileyo, kwiphepha lesi-3 · Ukufikelela kwisixhobo, kwiphepha le-4

Iingqwalasela zoKhuseleko 1

Ukuhlohla

Iingqwalasela zoKhuseleko

· Uthungelwano loLawulo lweziSeko zoPhuhliso, kwiphepha 22 · Ukhuseleko loLwazi oluGciniwe ekuhlaleni, kwiphepha 23 · File Ukudlulisa, kwiphepha lama-24 · Ukugawulwa kwemithi, kwiphepha 24 · Ukhuseleko lomatshini obonakalayo, kwiphepha lama-25 · Ukwahlulwa kwe-VM kunye nokubonelela ngeZibonelelo, kwiphepha lama-26 · UKhuseleko loPhuhliso loBomi, kwiphepha lama-29

Ukuhlohla
Ukuqinisekisa ukuba i-software ye-NFVIS ayizange ibe tampenziwe nge , umfanekiso wesoftware uyaqinisekiswa phambi kofakelo usebenzisa ezi ndlela zilandelayo:

Umfanekiso TampUkukhusela
I-NFVIS ixhasa ukusayinwa kwe-RPM kunye nokuqinisekisa utyikityo kuzo zonke iipakethe zeRPM kwi-ISO kunye nokuphucula imifanekiso.

Ukusayinwa kwe-RPM

Zonke iipakethe ze-RPM kwi-Cisco Enterprise NFVIS ISO kunye nemifanekiso yokuphucula isayinwe ukuqinisekisa ukunyaniseka kwe-cryptographic kunye nokunyaniseka. Oku kuqinisekisa ukuba iipakethe zeRPM azizange zibe tampered with kunye neepakethe zeRPM zisuka kwiNFVIS. Isitshixo sabucala esisetyenziselwa ukusayina iipakethe zeRPM zenziwe kwaye zigcinwe ngokukhuselekileyo yiCisco.

RPM Utyikityo uQinisekiso

Isoftware yeNFVIS iqinisekisa utyikityo lwazo zonke iipakethe zeRPM phambi kofakelo okanye uphuculo. Le theyibhile ilandelayo ichaza ukuziphatha kweCisco Enterprise NFVIS xa uqinisekiso lotyikityo lusilela ngexesha lofakelo okanye uphuculo.

Imeko

Inkcazo

Cisco Enterprise NFVIS 3.7.1 kunye nofakelo kamva Ukuba uqinisekiso utyikityo uyasilela ngelixa ufaka Cisco Enterprise NFVIS, ufakelo lunqanyulwe.

Cisco Enterprise NFVIS uphuculo ukusuka 3.6.x ukuya Khupha 3.7.1

Iisiginitsha zeRPM ziyaqinisekiswa xa uhlaziyo lusenziwa. Ukuba uqinisekiso lomsayino aluphumeleli, impazamo ifakiwe kodwa uphuculo lugqityiwe.

Uphuculo lweCisco Enterprise NFVIS ukusuka ekukhutshweni 3.7.1 Iisignesha zeRPM ziqinisekisiwe xa kuphuculwa.

ukukhutshwa kamva

umfanekiso ubhalisiwe. Ukuba uqinisekiso lwesiginitsha aluphumeleli,

uphuculo luphelisiwe.

Uqinisekiso lweMfezeko yoMfanekiso
Ukusayinwa kwe-RPM kunye nokuqinisekisa utyikityo kunokwenziwa kuphela kwiipakethe zeRPM ezifumaneka kwiCisco NFVIS ISO kunye nokuphucula imifanekiso. Ukuqinisekisa imfezeko yazo zonke ezongezelelweyo ezingeyo-RPM files ifumaneka kumfanekiso weCisco NFVIS ISO, ihashi yomfanekiso weCisco NFVIS ISO ipapashwa kunye nomfanekiso. Ngokufanayo, ihashi yomfanekiso wophuculo weCisco NFVIS ipapashwa kunye nomfanekiso. Ukuqinisekisa ukuba ihashi yeCisco

Iingqwalasela zoKhuseleko 2

Iingqwalasela zoKhuseleko

ENCS Khusela ukuQalisa

Umfanekiso we-NFVIS ISO okanye uphucule umfanekiso uhambelana nehashi epapashwe yiCisco, sebenzisa lo myalelo ulandelayo kwaye uthelekise ihashi nehashi epapashiweyo:
% /usr/bin/sha512sumFile> c2122783efc18b039246ae1bcd4eec4e5e027526967b5b809da5632d462dfa6724a9b20ec318c74548c6bd7e9b8217ce96b5ece93dcdd74fda5e01bb382ad607
<ImageFile>
ENCS Khusela ukuQalisa
I-boot ekhuselekileyo yinxalenye yomgangatho we-Unified Extensible Firmware Interface (UEFI) oqinisekisa ukuba isixhobo siqala kuphela ukusebenzisa isofthiwe ethembekileyo nguMvelisi weSixhobo sokuqala (OEM). Xa i-NFVIS iqala, i-firmware ijonga umsayino wesoftware yokuqalisa kunye nenkqubo yokusebenza. Ukuba iisignesha zivumelekile, iibhutsi zesixhobo, kunye ne-firmware inika ulawulo kwinkqubo yokusebenza.
Ukhuseleko lwesiqalo luyafumaneka kwi-ENCS kodwa luvaliwe ngokungagqibekanga. UCisco ucebisa ukuba uvule ukuqala ngokukhuselekileyo. Ngolwazi oluthe kratya, bona i-Secure Boot of Host.
Khusela ukuchongwa kweSixhobo esisodwa
I-NFVIS isebenzisa indlela eyaziwa ngokuba yi-Secure Unique Device Identification (SUDI), ebonelela ngesazisi esingaguqukiyo. Olu lwazi lusetyenziselwa ukuqinisekisa ukuba isixhobo yimveliso yokwenene yeCisco, kunye nokuqinisekisa ukuba isixhobo saziwa kakuhle kwinkqubo yoluhlu lwabathengi.
I-SUDI sisatifikethi se-X.509v3 kunye nesitshixo-isibini esinxulumeneyo esikhuselwe kwihardware. Isatifikethi se-SUDI siqulathe isichongi semveliso kunye nenombolo yothotho kwaye isekelwe kwi-Cisco Public Key Infrastructure. Izibini eziphambili kunye nesatifikethi se-SUDI zifakwe kwimodyuli ye-hardware ngexesha lokuvelisa, kwaye isitshixo sangasese asinakuze sithunyelwe ngaphandle.
Isazisi esisekwe kwi-SUDI singasetyenziselwa ukwenza uqwalaselo oluqinisekisiweyo noluzenzekelayo usebenzisa iZero Touch Provisioning (ZTP). Oku kwenza ukhuseleko, ukude kwibhodi yezixhobo, kwaye iqinisekisa ukuba umncedisi we orchestration uthetha nesixhobo sokwenyani seNFVIS. Inkqubo yokubuyela umva inokukhupha umngeni kwisixhobo seNFVIS ukuze siqinisekise ubuni bayo kwaye isixhobo siya kuphendula kumngeni sisebenzisa isazisi esisekwe kwi-SUDI. Oku kuvumela isixokelelwano sangasemva ukuba singangqinisisi ngokuchasene noluhlu lwayo kuphela ukuba isixhobo esilungileyo sikwindawo eyiyo kodwa ibonelele ngoqwalaselo oluntsonkothileyo olunokuvulwa kuphela sisixhobo esithile, ngaloo ndlela iqinisekisa ubumfihlo kuhambo.
Le mizobo ilandelayo yokuqhutywa komsebenzi ibonisa indlela iNFVIS esebenzisa ngayo i-SUDI:

Iingqwalasela zoKhuseleko 3

UFikelelo lweDivayisi Umzobo 1: Iplagi kunye neDlala (PnP) ukuqinisekiswa kweseva

Iingqwalasela zoKhuseleko

Umzobo 2: Iplagi kunye nokuDlala uQinisekiso lweDivaysi kunye noGunyaziso

Ukufikelela kwisixhobo
I-NFVIS ibonelela ngeendlela ezahlukeneyo zokufikelela eziquka i-console kunye nokufikelela kude okusekwe kwiiprothokholi ezifana ne-HTTPS kunye ne-SSH. Indlela yokufikelela nganye kufuneka ilungiswe ngononopheloviewed kwaye iqwalaselwe. Qinisekisa ukuba ziindlela zofikelelo ezifunekayo kuphela ezisebenzayo kwaye zikhuselwe ngokufanelekileyo. Amanyathelo angundoqo ekukhuseleni kokubini okusebenzisanayo kunye nofikelelo lolawulo kwi-NFVIS kukunqanda ukufikeleleka kwesixhobo, ukunqanda ubunakho babasebenzisi abavunyelweyo koko kufunwayo, kunye nokuthintela iindlela ezivunyelweyo zofikelelo. I-NFVIS iqinisekisa ukuba ukufikelela kunikwe kuphela kubasebenzisi abaqinisekisiweyo kwaye banokwenza nje izenzo ezigunyazisiweyo. Ufikelelo lwesixhobo lulogiwe ukuze luphicothwe kwaye i-NFVIS iqinisekisa ubumfihlo bedatha egcinwe ekuhlaleni ebuthathaka. Kubalulekile ukuseka ulawulo olufanelekileyo ukuze kuthintelwe ufikelelo olungagunyaziswanga kwiNFVIS. La macandelo alandelayo achaza ezona zenzo zilungileyo kunye nolungelelwaniso lokuphumeza oku:
Iingqwalasela zoKhuseleko 4

Iingqwalasela zoKhuseleko

Ukutshintshwa Kwegama Lokugqithisa Lokunyanzeliswa Ekungeneni kokuqala

Ukutshintshwa Kwegama Lokugqithisa Lokunyanzeliswa Ekungeneni kokuqala
Iziqinisekiso ezihlala zikhona zingumthombo oqhelekileyo weziganeko zokhuseleko lwemveliso. Abathengi bahlala belibala ukutshintsha iziqinisekiso zokungena ezingagqibekanga beshiya iinkqubo zabo zivulekile ukuba zihlasele. Ukuthintela oku, umsebenzisi we-NFVIS unyanzelekile ukuba atshintshe igama eligqithisiweyo emva kokungena kuqala usebenzisa iinkcukacha ezingagqibekanga (igama lomsebenzisi: admin kunye negama lokugqitha Admin123#). Ngolwazi oluthe vetshe, bona Ukufikelela kwi-NFVIS.
Ukunciphisa ubuthathaka bokuNgena
Unganqanda ukuba sesichengeni kwisichazi-magama kunye nokuhlaselwa kweNkonzo (DoS) ngokusebenzisa ezi mpawu zilandelayo.
Unyanzeliso lwegama lokugqitha elinamandla
Indlela yokuqinisekisa yomelele kuphela njengeziqinisekiso zayo. Ngesi sizathu, kubalulekile ukuqinisekisa ukuba abasebenzisi banamagama ayimfihlo awomeleleyo. I-NFVIS ijonga ukuba igama eliyimfihlo elinamandla liqwalaselwe ngokwemigaqo elandelayo: Igama lokugqithisa kufuneka liqulathe:
· Ubuncinane unobumba omnye omkhulu · Ubuncinane omnye unobumba abancinane · Ubuncinane inani elinye · Ubuncinane libe linye kula magama akhethekileyo: hashi (#), underscore (_), iqhagamshela (-), asterisk (*), okanye umbuzo
uphawu (?) · Oonobumba abasixhenxe nangaphezulu · Ubude begama lokugqitha kufuneka bube phakathi koonobumba besi-7 kunye ne-128.
Ukuqwalasela ubuncinci boBude bamagama okugqithisa
Ukunqongophala kwe-password entsonkothileyo, ngakumbi ubude be-password, kunciphisa kakhulu indawo yokukhangela xa abahlaseli bezama ukuqikelela amagama ayimfihlo omsebenzisi, nto leyo eyenza ukuba uhlaselo lwe-brute-force lube lula kakhulu. Umsebenzisi womlawuli unokuqwalasela ubude obuncinane obufunekayo kwiiphasiwedi zabo bonke abasebenzisi. Obona bude buncinane kufuneka bube phakathi koonobumba besi-7 kunye ne-128. Ngokungagqibekanga, ubude obuncinane obufunekayo kumagama ayimfihlo bumiselwe kwiimpawu ezisi-7. CLI:
nfvis(config)# rbac uqinisekiso min-pwd-ubude 9
API:
/api/config/rbac/authentication/min-pwd-length
Ukuqwalasela iPassword kuBomi bonke
Ixesha lobomi begama lokugqitha limisela ukuba igama eliyimfihlo lingasetyenziswa ixesha elingakanani phambi kokuba umsebenzisi afuneke alitshintshe.

Iingqwalasela zoKhuseleko 5

Nciphisa ukusetyenziswa kwakhona kwephasiwedi yangaphambili

Iingqwalasela zoKhuseleko

Umsebenzisi we-admin unokuqwalasela ubuncinci kunye nawona maxabiso aphezulu obomi bamagama ayimfihlo kubo bonke abasebenzisi kwaye anyanzelise umgaqo wokujonga la maxabiso. Ubuncinci bexabiso lobomi obumiselweyo bumiselwe kusuku olu-1 kwaye ubuninzi bexabiso lobomi obumiselweyo bumiselwe kwiintsuku ezingama-60. Xa ubuncinci bexabiso lobomi bucwangcisiwe, umsebenzisi akanako ukutshintsha igama eligqithisiweyo de kube kudlule inani elichaziweyo leentsuku. Ngokufanayo, xa ixabiso eliphezulu lobomi licwangcisiwe, umsebenzisi kufuneka atshintshe igama lokugqitha phambi kokuba kudlule inani elichaziweyo leentsuku. Ukuba umsebenzisi akatshintshi igama eligqithisiweyo kwaye inani elichaziweyo leentsuku lidlulile, isaziso sithunyelwa kumsebenzisi.
Qaphela Ubuncinci kunye nobuninzi bamaxabiso obomi kunye nomgaqo wokukhangela la maxabiso awusetyenziswanga kumsebenzisi womlawuli.
I-CLI:
cwangcisa i-terminal ye-rbac yoqinisekiso lokugqitha-ubomi bonke nyanzelisa imini-mini yokwenyani 2 max-ientsuku ezingama-30 ukuzibophelela
API:
/api/config/rbac/uqinisekiso/password-lifetime/
Nciphisa ukusetyenziswa kwakhona kwephasiwedi yangaphambili
Ngaphandle kokuthintela ukusetyenziswa kwamagama okugqithisa angaphambili, ukuphelelwa kwegama lokugqitha akunamsebenzi kuba abasebenzisi banokutshintsha ibinzana lokugqithisa emva koko balibuyisele kweyoqobo. I-NFVIS ijonga ukuba i-password entsha ayifani nenye ye-5 yamagama asetyenziswa ngaphambili. Omnye ngaphandle kulo mgaqo kukuba umsebenzisi we-admin unokutshintsha igama lokugqitha kwi-password engagqibekanga nokuba ibiyenye ye-5 yamagama asetyenziswa ngaphambili.
Nciphisa Uphindaphindo lokuzama ukungena
Ukuba intanga ekude ivunyelwe ukungena kwinani elingasikelwanga mda lamaxesha, inokuthi ekugqibeleni ikwazi ukuthelekelela iziqinisekiso zokungena ngamandla akhohlakeleyo. Ekubeni amabinzana okungena ehlala kulula ukuqikelela, olu luhlaselo oluqhelekileyo. Ngokunciphisa izinga apho intanga inokuzama ukungena, siyakuthintela olu hlaselo. Sikwanqanda ukuchitha izixhobo zenkqubo ekuqinisekiseni ngokungeyomfuneko ezi nzame zokungena ngokungenalusini ezinokudala uhlaselo loKwaliwa kweNkonzo. I-NFVIS inyanzelisa ukuvalwa komsebenzisi ngemizuzu emi-5 emva kokuba iinzame zokungena ezili-10 zingaphumelelanga.
Khubaza iiakhawunti zomsebenzisi ezingasebenziyo
Ukubeka iliso kumsebenzi wabasebenzisi kunye nokukhubaza ii-akhawunti ezingasetyenziswanga okanye ezidala zinceda ukukhusela inkqubo kuhlaselo lwangaphakathi. Iiakhawunti ezingasetyenziswanga kufuneka ekugqibeleni zisuswe. Umsebenzisi we-admin unokunyanzelisa umgaqo wokumakisha ii-akhawunti zabasebenzisi ezingasetyenziswanga njengezingasebenziyo kwaye uqwalasele inani leentsuku emva kokuba i-akhawunti yomsebenzisi engasetyenziswanga imakwe njengengasebenzi. Nje ukuba iphawulwe njengengasebenziyo, loo msebenzisi akanakungena kwisistim. Ukuvumela umsebenzisi ukuba angene kwinkqubo, umsebenzisi we-admin angenza i-akhawunti yomsebenzisi isebenze.
Qaphela Ixesha lokungasebenzi kunye nomgaqo wokujonga ixesha lokungasebenzi awusetyenziswanga kumsebenzisi womlawuli.

Iingqwalasela zoKhuseleko 6

Iingqwalasela zoKhuseleko

Ukuvula iAkhawunti Yomsebenzisi Engasebenzi

I-CLI elandelayo kunye ne-API ingasetyenziselwa ukuqwalasela ukunyanzeliswa kokungasebenzi kwe-akhawunti. CLI:
qwalasela i-terminal ye-rbac yoqinisekiso lwe-akhawunti-ukungasebenzi ukunyanzeliswa kokungasebenzi-iintsuku ezingama-30
API:
/api/config/rbac/uqinisekiso/iakhawunti-ukungasebenzi/
Ixabiso elimiselweyo leentsuku zokungasebenzi ngama-35.
Ukuvula iAkhawunti Yomsebenzisi Engasebenziyo Umsebenzisi wolawulo unokuvula iakhawunti yomsebenzisi ongasebenziyo esebenzisa le CLI ilandelayo kunye ne-API: CLI:
qwalasela i-terminal rbac uqinisekiso lwabasebenzisi umsebenzisi guest_user vula isibophelelo
API:
/api/imisebenzi/rbac/uqinisekiso/abasebenzisi/umsebenzisi/igama lomsebenzisi/vula

Ukunyanzeliswa kwe-BIOS kunye ne-CIMC Passwords

Itheyibhile 1: Itheyibhile yeMbali yeFeature

Igama lophawu

NONE

Ukunyanzeliswa kwe-BIOS kunye ne-CIMC NFVIS 4.7.1 Amagama okugqithisa

Inkcazo
Eli nqaku linyanzelisa umsebenzisi ukuba atshintshe igama eligqithisiweyo elingagqibekanga le-CIMC kunye ne-BIOS.

Izithintelo zokunyanzeliswa kweSetting of BIOS kunye neCIMC Passwords
· Eli nqaku lixhaswa kuphela kwiCisco Catalyst 8200 UCPE kunye neCisco ENCS 5400 amaqonga.
· Olu phawu luxhaswa kuphela kufakelo olutsha lwe-NFVIS 4.7.1 kunye nokukhutshwa kamva. Ukuba uphucula ukusuka kwi-NFVIS 4.6.1 ukuya kwi-NFVIS 4.7.1, olu phawu aluxhaswanga kwaye awucelwa ukuba umise kwakhona i-BIOS kunye ne-CIMS passwords, nokuba i-BIOS kunye ne-CIMC passwords azibunjwa.

Ulwazi malunga nokunyanzeliswa kwe-BIOS kunye ne-CIMC Passwords
Olu phawu lujongana nomsantsa wokhuseleko ngokunyanzelisa ukusetwa kwakhona kweBIOS kunye namagama agqithisiweyo eCIMC emva kokufaka okutsha kweNFVIS 4.7.1. Igama eliyimfihlo le-CIMC ligama lokugqitha kunye negama lokugqitha le-BIOS elingagqibekanga alikho igama lokugqitha.
Ukuze ulungise umsantsa wokhuseleko, unyanzeliswa ukuba uqwalasele i-BIOS kunye ne-CIMC passwords kwi-ENCS 5400. Ngexesha lofakelo olutsha lwe-NFVIS 4.7.1, ukuba i-BIOS kunye ne-CIMC passwords ayitshintshwanga kwaye isenayo.

Iingqwalasela zoKhuseleko 7

Uqwalaselo Examples yokuSeta kwakhona kuNyanzeliso lwe-BIOS kunye ne-CIMC Passwords

Iingqwalasela zoKhuseleko

amagama agqithisiweyo angagqibekanga, emva koko uyacelwa ukuba utshintshe zombini i-BIOS kunye ne-CIMC amagama agqithisiweyo. Ukuba enye yazo ifuna ukusetwa kwakhona, uyacelwa ukuba usete kwakhona igama lokugqitha lelo candelo kuphela. I-Cisco Catalyst 8200 UCPE ifuna kuphela igama lokugqitha le-BIOS kwaye kungoko kuphela ukusetwa kwakhona kwephasiwedi ye-BIOS kuyacelwa, ukuba ayikamiselwa.
Qaphela Ukuba uphucula nakuphi na ukhupho lwangaphambili ukuya kwi-NFVIS 4.7.1 okanye kamva, ungatshintsha i-BIOS kunye ne-CIMC amagama agqithisiweyo usebenzisa i-hostage change-bios-password newpassword okanye i-hostage change-cimc-password newpassword imiyalelo.
Ukuze ufumane inkcazelo engakumbi malunga BIOS kunye CIMC passwords, bona BIOS kunye CIMC Password.
Uqwalaselo Examples yokuSeta kwakhona kuNyanzeliso lwe-BIOS kunye ne-CIMC Passwords
1. Xa ufaka i-NFVIS 4.7.1, kufuneka uqale usete ngokutsha igama eligqithisiweyo lolawulo elingagqibekanga.
I-Cisco Network Function Virtualization Infrastructure Software (NFVIS)
Inguqulo ye-NFVIS: 99.99.0-1009
Ilungelo lokushicilela (c) 2015-2021 yiCisco Systems, Inc. Cisco, Cisco Systems, kunye neCisco Systems logo ziimpawu zorhwebo ezibhalisiweyo zeCisco Systems, Inc. kunye/okanye namahlakani ayo e-US nakwamanye amazwe athile.
Amalungelo okukopisha kwimisebenzi ethile equlethwe kule software yeyamanye amaqela esithathu kwaye asetyenziswa kwaye asasazwa phantsi kwezivumelwano zelayisenisi zeqela lesithathu. Amacandelo athile ale software anelayisensi phantsi kwe-GNU GPL 2.0, GPL 3.0, LGPL 2.1, LGPL 3.0 kunye ne-AGPL 3.0.
Umlawuli uqhagamshelwe ukusuka ku-10.24.109.102 usebenzisa i-ssh kwi-nfvis admin efakwe ngeenkcukacha ezihlala zikhona Nceda unikeze igama eliyimfihlo elanelisa ezi nqobo zilandelayo:
1.Ubuncinane unobumba omnye ongoonobumba abakhulu 2.Ubuncinane unobumba omnye omkhulu 3.Ubude kufuneka bube phakathi kwe 4 kunye ne 5 amagama Nceda usete kwakhona igama lokugqitha : Nceda uphinde ufake igama :
Ukusetha kwakhona igama lokugqitha lomlawuli
2. Kwi-Cisco Catalyst 8200 UCPE kunye ne-Cisco ENCS 5400 amaqonga xa ufaka ukufakwa ngokutsha kwe-NFVIS 4.7.1 okanye ukukhutshwa kamva, kufuneka utshintshe i-BIOS engagqibekanga kunye ne-CIMC passwords. Ukuba i-BIOS kunye ne-CIMC iiphasiwedi azizange ziqwalaselwe ngaphambili, inkqubo ikwenza ukuba usethe kwakhona i-BIOS kunye ne-CIMC iiphasiwedi ze-Cisco ENCS 5400 kunye nephasiwedi ye-BIOS ye-Cisco Catalyst 8200 UCPE.
I-password entsha yomlawuli isetiwe
Nceda unikeze i-password ye-BIOS eyanelisa le migaqo ilandelayo: 1. Okungenani unobumba omnye omncinci 2. Ubuncinane unobumba omnye omkhulu 3 kunye nama-4 amagama 5. Akufuneki iqulathe naziphi na ezi ntambo zilandelayo (case sensitive): bios 8. Unobumba wokuqala akanakuba #

Iingqwalasela zoKhuseleko 8

Iingqwalasela zoKhuseleko

Qinisekisa i-BIOS kunye ne-CIMC Passwords

Nceda phinda umisele igama lokugqitha le-BIOS : Nceda uphinde ufake igama lokugqitha le-BIOS : Nceda unikeze igama lokugqitha le-CIMC elanelisa ezi nqobo zilandelayo:
1. Ubuncinane unobumba omnye omncinci 2. Ubuncinane unobumba omnye omkhulu 3. Ubuncinane inani elinye 4. Ubuncinci omnye unobumba okhethekileyo ukusuka ku #, @ okanye _ 5. Ubude kufuneka bube phakathi konobumba besi-8 nama-20 6. Akufunekanga iqulathe naliphi na le mitya ilandelayo (imeko ebuthathaka): admin Nceda phinda umisele igama lokugqitha leCIMC : Nceda uphinde ufake igama lokugqitha leCIMC :

Qinisekisa i-BIOS kunye ne-CIMC Passwords
Ukuqinisekisa ukuba iBIOS kunye neCIMC iipassword zitshintshwe ngempumelelo, sebenzisa ushicilelo lwelog nfvis_config.log | bandakanya i-BIOS okanye bonisa ilog nfvis_config.log | quka imiyalelo ye-CIMC:

nfvis# bonisa ilog nfvis_config.log | zibandakanya BIOS

2021-11-16 15:24:40,102 INFO

[hostaction:/system/settings] [] Utshintsho lwephasiwedi yeBIOS

uphumelele

Unako kwakhona ukukhuphela i nfvis_config.log file kwaye uqinisekise ukuba amagama agqithisiweyo asetwe ngokutsha ngempumelelo.

Ukudityaniswa kunye neeseva ze-AAA zangaphandle
Abasebenzisi bangena kwi-NFVIS nge-ssh okanye i Web UI. Kuyo nayiphi na imeko, abasebenzisi kufuneka baqinisekiswe. Oko kukuthi, umsebenzisi kufuneka abonise iinkcukacha zephasiwedi ukuze afumane ukufikelela.
Xa umsebenzisi eqinisekisiwe, yonke imisebenzi eyenziwa ngulo msebenzisi kufuneka igunyaziswe. Oko kukuthi, abasebenzisi abathile banokuvunyelwa ukuba benze imisebenzi ethile, ngelixa abanye bengavunyelwa. Oku kubizwa ngokuba lugunyaziso.
Kuyacetyiswa ukuba umncedisi we AAA obekwe kwindawo esembindini amiselwe ukunyanzelisa umsebenzisi-ngamnye, uqinisekiso lokungena olusekwe kwi-AAA yofikelelo lwe-NFVIS. I-NFVIS ixhasa iRADIUS kunye neeprothokholi ze-TACACS ukulamla ukufikelela kwinethiwekhi. Kwiseva ye-AAA, kuphela ngamalungelo ofikelelo asezantsi kufuneka anikezelwe kubasebenzisi abaqinisekisiweyo ngokweemfuno zabo zofikelelo ezithile. Oku kunciphisa ukuvezwa kuzo zozibini izehlo zokhuseleko ezilunya kunye nezingezizo ngabom.
Ngolwazi oluthe vetshe kungqinisiso lwangaphandle, bona Uqwalaselo lweRADIUS kunye noLungiselelo lwe-TACACS+ iSeva.

I-Cache yoQinisekiso yeSeva yoQinisekiso lwaNgaphandle

Igama lophawu

NONE

I-Cache yoQinisekiso ye-NFVIS yaNgaphandle 4.5.1 Iseva yoQinisekiso

Inkcazo
Olu phawu luxhasa uqinisekiso lwe-TACACS nge-OTP kwiphothali ye-NFVIS.

Iphothali ye-NFVIS isebenzisa igama lokugqithisa leXesha elinye (OTP) kuzo zonke iifowuni ze-API emva koqinisekiso lokuqala. Iifowuni ze-API ziyasilela nje ukuba i-OTP iphelelwe lixesha. Olu phawu luxhasa uqinisekiso lwe-TACACS OTP nge-NFVIS portal.
Emva kokuba uqinisekiswe ngempumelelo ngomncedisi we TACACS usebenzisa i OTP, iNFVIS yenza ungeniso lwehash isebenzisa igama lomsebenzisi kunye ne OTP kwaye igcina elixabiso lehashi ekuhlaleni. Eli xabiso le-hash eligcinwe ekuhlaleni linayo

Iingqwalasela zoKhuseleko 9

Ulawulo loFikelelo oluSekwe kwindima

Iingqwalasela zoKhuseleko

ixesha lokuphelelwa stamp ehambelana nayo. Ixesha laseStamp inexabiso elifanayo njengexabiso lexesha lokuvala leseshoni ye-SSH eyimizuzu eli-15. Zonke izicelo zoqinisekiso ezilandelayo ezinegama lomsebenzisi elifanayo zingqinisiswa ngokuchasene nexabiso le-hash yendawo yokuqala. Ukuba uqinisekiso aluphumeleli ngehashi yendawo, iNFVIS iqinisekisa esi sicelo ngomncedisi we TACACS kwaye yenza ungeniso olutsha xa uqinisekiso luphumelele. Ukuba ungeno lwe-hash sele lukhona, ixesha lalo stamp iphinda ibekwe kwimizuzu eyi-15.
Ukuba ususiwe kumncedisi we TACACS emva kokungena ngempumelelo kwiportal, ungaqhubeka nokusebenzisa i portal de ungeno lwe hash kwi NFVIS luphelelwe.
Xa uphuma ngokucacileyo kwiphothali ye-NFVIS okanye ukhutshiwe ngenxa yexesha elingasebenziyo, i-portal ibiza i-API entsha ukwazisa i-NFVIS yangasemva ukugungxula ukungena kwe-hash. I-cache yoqinisekiso kunye nawo onke amangeniso ayo acinywa emva kokuba i-NFVIS iqale, ukusetwa ngokutsha kwefektri, okanye uphuculo.

Ulawulo loFikelelo oluSekwe kwindima

Ukunciphisa ukufikelela kwinethiwekhi kubalulekile kwimibutho enabasebenzi abaninzi, eqeshe iikontraka okanye imvume yokufikelela kumaqela esithathu, njengabathengi kunye nabathengisi. Kwimeko enjalo, kunzima ukubeka esweni ukufikelela kwinethiwekhi ngokufanelekileyo. Endaweni yoko, kungcono ukulawula oko kufikelelekayo, ukwenzela ukukhusela idatha ebucayi kunye nezicelo ezibalulekileyo.
Ulawulo olusekelwe kwindima (RBAC) yindlela yokukhawulela ukufikelela kwinethiwekhi ngokusekelwe kwiindima zabasebenzisi ngabanye ngaphakathi kweshishini. I-RBAC ivumela abasebenzisi ukuba bafikelele kulwazi abaludingayo, kwaye ibathintele ekufikeleleni kulwazi olungabhekiseli kubo.
Indima yomqeshwa kwishishini kufuneka isetyenziswe ukumisela iimvume ezinikezelweyo, ukuze kuqinisekiswe ukuba abasebenzi abanamalungelo aphantsi abanako ukufikelela kulwazi olubuthathaka okanye ukwenza imisebenzi ebalulekileyo.
Ezi ndima zabasebenzisi zilandelayo kunye namalungelo achazwe kwi-NFVIS

Indima yomsebenzisi

Ilungelo

Abalawuli

Inokuqwalasela zonke iimpawu ezikhoyo kwaye yenze yonke imisebenzi kuquka nokutshintsha iindima zabasebenzisi. Umlawuli akanako ukucima iziseko ezingundoqo ezisisiseko kwi-NFVIS. Indima yomsebenzisi woLawulo ayinakuguqulwa; ihlala "ngabalawuli".

Abaqhubi

UngaQalisa kwaye umise i-VM, kwaye view lonke ulwazi.

Abaphicothi-zincwadi

Bangabasebenzisi abangenalungelo elincinci. Banemvume yokufunda kuphela kwaye ngenxa yoko, abakwazi ukulungisa naluphi na uqwalaselo.

Izibonelelo ze-RBAC
Kukho inani leenzuzo zokusebenzisa i-RBAC ukukhawulela ukufikelela kwinethiwekhi ngokungeyomfuneko ngokusekelwe kwiindima zabantu ngaphakathi kwintlangano, kuquka:
· Ukuphucula ukusebenza kakuhle.
Ukuba neendima ezichazwe kwangaphambili kwi-RBAC kwenza kube lula ukubandakanya abasebenzisi abatsha ngamalungelo afanelekileyo okanye utshintshe iindima zabasebenzisi abakhoyo. Ikwacutha ukubakho kwempazamo xa iimvume zomsebenzisi zabiwa.
· Ukuphucula ukuthotyelwa.

Iingqwalasela zoKhuseleko 10

Iingqwalasela zoKhuseleko

Ulawulo loFikelelo oluSekwe kwindima

Wonke umbutho kufuneka ahambelane nemigaqo yasekhaya, yelizwe kunye neyembumba. Iinkampani ngokubanzi zikhetha ukuphumeza iinkqubo ze-RBAC ukuhlangabezana neemfuno zokulawula kunye nezomthetho zobumfihlo kunye nobumfihlo kuba abaphathi kunye namasebe e-IT banokulawula ngokufanelekileyo indlela idatha efikeleleke ngayo kwaye isetyenziswe. Oku kubaluleke kakhulu kumaziko emali kunye neenkampani zokhathalelo lwempilo ezilawula idatha ebuthathaka.
· Ukunciphisa iindleko. Ngokungavumeli ukufikelela komsebenzisi kwiinkqubo ezithile kunye nezicelo, iinkampani zinokugcina okanye zisebenzise izibonelelo ezifana ne-network bandwidth, imemori kunye nokugcinwa ngendlela ebiza imali.
· Ukunciphisa umngcipheko wokophulwa kunye nokuvuza kwedatha. Ukusebenzisa i-RBAC kuthetha ukukhawulelana nokufikelela kulwazi olubuthathaka, ngaloo ndlela kuncitshiswe amandla okuphulwa kwedatha okanye ukuvuza kwedatha.
Iindlela ezilungileyo zophumezo olusekelwe kwindima yolawulo lofikelelo · Njengomlawuli, misela uluhlu lwabasebenzisi kwaye unike abasebenzisi kwiindima ezichazwe kwangaphambili. UmzekeloampLe, umsebenzisi "networkadmin" unokudalwa kwaye wongezwe kwiqela labasebenzisi "abalawuli".
qwalasela i-terminal rbac uqinisekiso lwabasebenzisi dala-igama lomsebenzisi womnatha we-admin password Uvavanyo1_lokudlula indima yabalawuli
Qaphela Amaqela abasebenzisi okanye iindima zenziwe yinkqubo. Awukwazi ukudala okanye ukuguqula iqela labasebenzisi. Ukutshintsha igama eligqithisiweyo, sebenzisa i-rbac yokuqinisekisa abasebenzisi yokutshintsha-password umyalelo kwimowudi yoqwalaselo yehlabathi. Ukutshintsha indima yomsebenzisi, sebenzisa ungqinisiso lwe-rbac abasebenzisi umyalelo wokutshintsha-indima kwimowudi yoqwalaselo lwehlabathi.
· Cima ii-akhawunti zabasebenzisi abangasafuni fikelelo.
qwalasela i-terminal ye-rbac yoqinisekiso lwabasebenzisi cima-igama lomsebenzisi test1
• Ukuqhuba uphicotho ngamaxesha athile ukuhlola iindima, abasebenzi ababelwe bona kunye nokufikelela okuvunyelweyo kwindima nganye. Ukuba umsebenzisi ufunyenwe enokufikelela ngokungeyomfuneko kwinkqubo ethile, tshintsha indima yomsebenzisi.
Ukufumana iinkcukacha ezithe vetshe, bona, Abasebenzisi, Iindima, kunye noQinisekiso
Ulawulo loFikelelo oluSekwe kwindima yeGranular Ukuqala kwiNFVIS 4.7.1, inqaku loLawulo lokuFikelela oluSekwe kwiGranular liyaziswa. Olu phawu longeza umgaqo-nkqubo weqela lomthombo omtsha olawula i-VM kunye ne-VNF kwaye ikuvumela ukuba unike abasebenzisi kwiqela ukulawula ukufikelela kweVNF, ngexesha lokusasazwa kweVNF. Ngolwazi oluthe vetshe, jonga ulawulo loFikelelo oluSekwe kwindima yeGranular.

Iingqwalasela zoKhuseleko 11

Nciphisa uFikelelo lweSixhobo

Iingqwalasela zoKhuseleko

Nciphisa uFikelelo lweSixhobo
Abasebenzisi baye babanjwa ngokuphindaphindiweyo bengazi ngohlaselo oluchasene neempawu ababengazikhuselanga kuba babengazi ukuba ezo mpawu zenziwe zasebenza. Iinkonzo ezingasetyenziswanga zikholisa ukushiywa nolungelelwaniso olungagqibekanga olungasoloko lukhuselekile. Ezi nkonzo zisenokuba zisebenzisa amagama ayimfihlo asisiseko. Ezinye iinkonzo zinokunika umhlaseli ukufikelela lula kulwazi malunga nokuba umncedisi uqhuba ntoni okanye inethiwekhi isetwa njani. La macandelo alandelayo achaza indlela i-NFVIS eyiphepha ngayo imingcipheko yokhuseleko:

Uhlaselo lokunciphisa i-vector
Naliphi na isiqwenga sesoftware sinokuqulatha ubuthathaka bokhuseleko. Isoftware eninzi ithetha iindlela ezininzi zokuhlasela. Nokuba akukho buthathaka baziwa esidlangalaleni ngexesha lokubandakanywa, ubuthathaka buya kufunyanwa okanye bubhengezwe kwixesha elizayo. Ukunqanda iimeko ezinjalo, kuphela ezo phakheji zesoftware ziyimfuneko ekusebenzeni kweNFVIS ezifakiweyo. Oku kunceda ukunciphisa ubuthathaka besoftware, ukunciphisa ukusetyenziswa kobutyebi, kunye nokunciphisa umsebenzi owongezelelweyo xa iingxaki zifunyenwe kwezo phakheji. Yonke isoftware yomntu wesithathu ebandakanyiweyo kwiNFVIS ibhalisiwe kwisiseko sedatha esembindini kwiCisco ukuze iCisco ikwazi ukwenza impendulo elungelelanisiweyo yenkampani (Legal, Security, etc). Iipakethe zeSoftware zifakwa ngamaxesha athile kulo lonke ukhupho lokwaziwayo koBusichenene obuQhelekileyo kunye nokuVeliswa (CVEs).

Ukwenza izibuko ezibalulekileyo kuphela ngokungagqibekanga

Kuphela ezo nkonzo ziyimfuneko ngokupheleleyo ukuseta nokulawula i-NFVIS ezifumaneka ngokungagqibekanga. Oku kususa umzamo womsebenzisi ofunekayo ukumisela i-firewall kunye nokwala ukufikelela kwiinkonzo ezingeyomfuneko. Iinkonzo kuphela ezenziwe ngokungagqibekanga zidweliswe ngezantsi kunye namazibuko azivulayo.

Vula iZibuko

Inkonzo

Inkcazo

22/TCP

I-SSH

IShell yeSokethi ekhuselekileyo yokufikelela kumgca womyalelo okude kwiNFVIS

80/TCP

HTTP

I-Hypertext Transfer Protocol yofikelelo lwe-portal ye-NFVIS. Yonke i-traffic ye-HTTP efunyenwe yi-NFVIS iqondiswe kwi-port 443 ye-HTTPS

443/TCP

HTTPS

I-Hypertext Transfer Protocol Khusela ukufikelela kwi-portal ye-NFVIS ekhuselekileyo

830/TCP

I-NETCONF-ssh

Isibuko sivulelwe iProtokholi yoLungiselelo lweNethiwekhi (NETCONF) ngaphezulu kwe-SSH. I-NETCONF yiprothokholi esetyenziselwa uqwalaselo oluzenzekelayo lwe-NFVIS kunye nokufumana izaziso zesiganeko esingahambelaniyo ukusuka kwiNFVIS.

161/UDP

I-SNMP

IProtokholi yoLawulo lweNethiwekhi elula (SNMP). Isetyenziswa yi NFVIS ukunxibelelana nezicelo womnatha-esweni ekude. Ngolwazi oluthe vetshe jonga, Intshayelelo malunga neSNMP

Iingqwalasela zoKhuseleko 12

Iingqwalasela zoKhuseleko

Nciphisa ukufikelela kwiiNethiwekhi eziGunyaziweyo kwiiNkonzo eziGunyaziweyo

Kuphela ngabavelisi abagunyazisiweyo kufuneka bavunyelwe ukuba bazame ukufikelela kulawulo lwesixhobo, kwaye ukufikelela kufuneka kube kuphela kwiinkonzo abagunyaziswe ukuba bazisebenzise. I-NFVIS inokuqwalaselwe ngohlobo lokuba ufikelelo luthintelwe ukwaziwa, imithombo ethembekileyo kunye nolawulo olulindelekileyo lolawulo lwetrafikhi profiles. Oku kunciphisa umngcipheko wofikelelo olungagunyaziswanga kunye nokuvezwa kolunye uhlaselo, olufana nenkani, isichazi-magama, okanye uhlaselo lweDoS.
Ukukhusela ujongano lolawulo lweNFVIS ukusuka kwitrafikhi engabalulekanga kwaye enokuba yingozi, umsebenzisi wolawulo unokudala uLuhlu loLawulo lokuFikelela (ACLs) kwitrafikhi yothungelwano efunyenweyo. Ezi ACLs icacisa umthombo iidilesi IP / uthungelwano ukusuka apho itrafikhi isuka, kunye nohlobo traffic ukuba kuvunyelwe okanye yaliwe kule mithombo. Ezi zihluzo zendlela ye-IP zisetyenziswa kujongano ngalunye lolawulo kwi-NFVIS. Ezi parameters zilandelayo ziqwalaselwe kwi IP fumana Uluhlu loLawulo lokuFikelela (ip-receive-acl)

Ipharamitha

Ixabiso

Inkcazo

Umthombo womnatha/Netmask

Inethiwekhi/i-netmask. Umzekeloample: 0.0.0.0/0
172.39.162.0/24

Lo mmandla uxela idilesi yeIP/uthungelwano olusuka kuyo itrafikhi

Isenzo seNkonzo

https icmp netconf scpd snmp ssh yamkela ukulahlwa kokulahla

Uhlobo lwetrafikhi olusuka kumthombo okhankanyiweyo.
Inyathelo eliza kuthathwa kwitrafikhi esuka kumthombo wothungelwano. Ngokwamkela, imizamo emitsha yoqhagamshelwano iya kunikwa. Ngokwaliwa , iinzame zoqhagamshelwano aziyi kwamkelwa. Ukuba umgaqo wenkonzo ye-TCP esekelwe njenge-HTTPS, i-NETCONF, i-SCP, i-SSH, umthombo uya kufumana i-TCP reset (RST) ipakethi. Kwimithetho engeyiyo ye-TCP efana ne-SNMP kunye ne-ICMP, ipakethe iya kuchithwa. Ngokuhla, zonke iipakethi ziya kuhla ngokukhawuleza, akukho lwazi luthunyelwe kumthombo.

Iingqwalasela zoKhuseleko 13

UFikelelo lweDebug olunelungelo

Iingqwalasela zoKhuseleko

IParameter ePhambili

Ixabiso Ixabiso lamanani

Inkcazo
Okuphambili kusetyenziselwa ukunyanzelisa umyalelo kwimigaqo. Imigaqo enexabiso eliphezulu lamanani ngokuphambili iya kudityaniswa ngakumbi ezantsi kwikhonkco. Ukuba ufuna ukuqinisekisa ukuba umgaqo uya kongezwa emva komnye, sebenzisa inani eliphantsi lokubaluleka kokuqala kunye nenani eliphambili eliphezulu kwezi zilandelayo.

Oku kulandelayo sampuqwalaselo lubonisa ezinye iimeko ezinokulungiselelwa iimeko ezithile zokusetyenziswa.
Ukuqwalasela i-IP Fumana i-ACL
Okukhona ithintelwa kakhulu i-ACL, kokukhona kuthintelwa ngakumbi utyhileko kwiinzame zokufikelela okungagunyaziswanga. Nangona kunjalo, i-ACL engqongqo ngakumbi inokudala ulawulo oluphezulu, kwaye inokuchaphazela ukufikeleleka ukwenza ingxaki. Ngenxa yoko, kukho ukulungelelana ekufuneka kuqwalaselwe. Esinye isichaso kukuthintela ukufikelela kwiidilesi ze-IP zangaphakathi kuphela. Umthengi ngamnye kufuneka avavanye ukuphunyezwa kwee-ACL ngokumalunga nomgaqo-nkqubo wabo wokhuseleko, iingozi, ukuvezwa, kunye nokwamkelwa kwayo.
Yala itrafikhi ye-ssh kwi-subnet:

nfvis(config)# useto lwenkqubo ip-receive-acl 171.70.63.0/24 inkonzo ye-ssh intshukumo yala okuphambili 1

Susa ii-ACLs:
Xa ungeno lucinyiwe kwi-ip-receive-acl, lonke ulungelelwaniso kulo mthombo luyacinywa ekubeni idilesi ye-IP yomthombo isisitshixo. Ukucima inkonzo enye, qwalasela ezinye iinkonzo kwakhona.

nfvis(config)# akukho seto lwenkqubo ip-receive-acl 171.70.63.0/24
Ukufumana iinkcukacha ezithe xhaxhe bona, Ukuqwalasela i IP Fumana i-ACL
UFikelelo lweDebug olunelungelo
I-akhawunti yomsebenzisi ophezulu kwi-NFVIS ivaliwe ngokungagqibekanga, ukunqanda konke okungathintelwanga, okunokuba nobubi, utshintsho lwenkqubo-banzi kwaye i-NFVIS ayivezi iqokobhe lenkqubo kumsebenzisi.
Nangona kunjalo, kweminye imiba enzima ukuyilungisa kwinkqubo ye-NFVIS, iqela leZiko loNcedo lobuGcisa leCisco (TAC) okanye iqela lophuhliso linokufuna ufikelelo lweqokobhe kwiNFVIS yomthengi. I-NFVIS inesiseko sokuvula esikhuselekileyo sokuqinisekisa ukuba ukufikelela kwilungelo lokulungisa iimpazamo kwisixhobo esisendle kuthintelwe kubasebenzi abagunyazisiweyo beCisco. Ukufikelela ngokukhuselekileyo kwiqokobhe le Linux kolu hlobo lolungiso lweempazamo olusebenzayo, indlela yoqinisekiso yomngeni-impendulo isetyenziswa phakathi kwe NFVIS kunye ne Interactive debugging server egcinwe yi Cisco. Igama eliyimfihlo lomsebenzisi wolawulo liyafuneka kwakhona ukongeza kwingeniso yokuphendula umngeni ukuqinisekisa ukuba isixhobo sifikelelwe ngemvume yomthengi.
Amanyathelo okufikelela kwiqokobhe le-Interactive Debugging:
1. Umsebenzisi wolawulo uqalisa le nkqubo esebenzisa lo myalelo ufihliweyo.

nfvis# inkqubo-ufikelelo lweqokobhe

Iingqwalasela zoKhuseleko 14

Iingqwalasela zoKhuseleko

Ujongano olukhuselekileyo

2. Isikrini siza kubonisa umtya womngeni, umzekeloample:
Umtya Womngeni (Nceda ukope yonke into phakathi kwemigca yeenkwenkwezi ngokukodwa):
******************************************************************************** SPH//wkAAABORlZJU0VOQ1M1NDA4L0s5AQAAABt+dcx+hB0V06r9RkdMMjEzNTgw RlHq7BxeAAA= DONE. ********************************************************************************
3. Ilungu leCisco lingena kumtya we-Challenge kwi-Interactive Debug server egcinwe yiCisco. Lo mncedisi uqinisekisa ukuba umsebenzisi weCisco ugunyaziswe ukuba alungise i-NFVIS esebenzisa iqokobhe, kwaye emva koko ibuyisela umtya wempendulo.
4. Faka umtya wempendulo kwisikrini esingezantsi kwesi saziso: Faka impendulo yakho xa ulungile:
5. Xa ucelwa, umthengi kufuneka afake igama eliyimfihlo lomlawuli. 6. Ufumana ufikelelo lweqokobhe ukuba igama eliyimfihlo liyasebenza. 7. Uphuhliso okanye iqela le-TAC lisebenzisa iqokobhe ukuqhubekeka nolungiso. 8. Ukuphuma kuhlobo lofikelelo lweqokobhe Phuma.
Ujongano olukhuselekileyo
Ufikelelo lolawulo lwe-NFVIS luvumelekile ngokusebenzisa ujongano oluboniswe kumzobo. La macandelo alandelayo achaza izenzo ezingcono zokhuseleko kolu jongano kwiNFVIS.

Console SSH

Izibuko le-console lizibuko lothotho lwe-asynchronous elikuvumela ukuba uqhagamshelane ne-NFVIS CLI kuqwalaselo lokuqala. Umsebenzisi unokufikelela kwikhonsoli enokufikelela ngokwasemzimbeni kwiNFVIS okanye ukufikelela kude ngokusetyenziswa komncedisi weterminal. Ukuba ufikelelo lwezibuko lweconsole luyafuneka ngeseva yesiphelo, qwalasela uluhlu lofikelelo kumncedisi wesiphelo ukuvumela ufikelelo kuphela kwiidilesi ezifunekayo zomthombo.
Abasebenzisi banokufikelela kwi-NFVIS CLI ngokusebenzisa i-SSH njengendlela ekhuselekileyo yokungena okude. Imfezeko kunye nemfihlo yolawulo lwetrafikhi ye-NFVIS ibalulekile kukhuseleko lothungelwano olulawulwayo njengoko iiprothokholi zolawulo zihlala zithwala ulwazi olunokusetyenziswa ukugqobhoza okanye ukuphazamisa uthungelwano.

Iingqwalasela zoKhuseleko 15

Iseshoni yeCLI iphelile

Iingqwalasela zoKhuseleko

I-NFVIS isebenzisa uguqulelo lwesi-2 lwe-SSH, oluyi-Cisco kunye ne-Intanethi ye-de facto esemgangathweni yeprotocol yokungena okusebenzisanayo kwaye ixhasa uguqulelo oluluqilima, i-hash, kunye ne-algorithms yotshintshiselwano olungundoqo olucetyiswa nguMbutho wezoKhuseleko kunye neTrasti ngaphakathi kweCisco.

Iseshoni yeCLI iphelile
Ngokungena nge-SSH, umsebenzisi useka iseshoni kunye neNFVIS. Ngelixa umsebenzisi engenile, ukuba umsebenzisi ushiya iseshoni engenisiweyo engahoywanga, oku kunokuveza uthungelwano kumngcipheko wokhuseleko. Ukhuseleko lweseshoni lunciphisa umngcipheko wokuhlaselwa kwangaphakathi, okufana nomsebenzisi omnye ozama ukusebenzisa iseshoni yomnye umsebenzisi.
Ukunciphisa lo mngcipheko, amaxesha e-NFVIS ngaphandle kweeseshoni ze-CLI emva kwemizuzu ye-15 yokungasebenzi. Xa ixesha lokuvala iseshoni lifikelelwe, umsebenzisi ukhutshelwa ngaphandle ngokuzenzekelayo.

I-NETCONF

I-Network Configuration Protocol (NETCONF) yi-Network Management protocol ephuhliswe kwaye ibekwe emgangathweni yi-IETF ukulungiselela uqwalaselo oluzenzekelayo lwezixhobo zenethiwekhi.
Iprothokholi yeNETCONF isebenzisa i-Extensible Markup Language (XML) esekelwe kwi-encoding yedatha yedatha yoqwalaselo kunye nemiyalezo yeprotocol. Imiyalezo yeprotocol iyatshintshwa ngaphezulu kweprotocol yothutho ekhuselekileyo.
I-NETCONF ivumela i-NFVIS ukuba iveze i-API esekwe kwi-XML enokusetyenziswa ngumsebenzisi wenethiwekhi ukuseta nokufumana idatha yoqwalaselo kunye nezaziso zesiganeko ngokukhuselekileyo nge-SSH.
Ngolwazi oluthe kratya, bona, Izaziso zoMnyhadala weNETCONF.

REST API

I-NFVIS ingaqwalaselwa kusetyenziswa iRESTful API ngaphezulu kweHTTPS. I-REST API ivumela iinkqubo ezicelayo ukuba zifikelele kwaye zilawule ubumbeko lwe-NFVIS ngokusebenzisa iyunifomu kunye neseti echazwe kwangaphambili yemisebenzi engenammiselo. Iinkcukacha kuzo zonke ii-APIs ze-REST zinokufumaneka kwi-NFVIS API Reference guide.
Xa umsebenzisi ekhupha i-REST API, iseshoni iyasekwa nge-NFVIS. Ukuze kuncitshiswe imingcipheko enxulumene nokwaliwa kohlaselo lwenkonzo, i-NFVIS inciphisa inani elipheleleyo leeseshoni ze-REST ezifanayo ukuya kwi-100.

I-NFVIS Web Portal
Iphothali yeNFVIS yi web-esekelwe kwiGraphical User Interface ebonisa ulwazi malunga neNFVIS. I-portal inikezela umsebenzisi ngeendlela ezilula zokuqwalasela nokubeka iliso kwi-NFVIS ngaphezulu kwe-HTTPS ngaphandle kokwazi i-NFVIS CLI kunye ne-API.

Ulawulo lweSeshini
Ubume obungenammiselo be-HTTP kunye ne-HTTPS bufuna indlela yokulandelela ngokukodwa abasebenzisi ngokusebenzisa i-ID yeseshoni eyodwa kunye neekuki.
I-NFVIS ifihla iseshoni yomsebenzisi. I-AES-256-CBC cipher isetyenziselwa ukufihla imixholo yeseshoni ngoqinisekiso lwe-HMAC-SHA-256 tag. IVector ye-128-bit yokuQalisa ngokungaqhelekanga iyenziwa kumsebenzi ngamnye woguqulelo oluntsonkothileyo.
Irekhodi yoPhicotho-zincwadi iqalwa xa iseshoni ye-portal yenziwe. Ulwazi lweseshoni luyacinywa xa umsebenzisi ephuma okanye xa iseshoni iphelile.
Ixesha elimiselweyo lokungenzi nto kwiiseshoni ze-portal yimizuzu eli-15. Nangona kunjalo, oku kungaqwalaselwa kwiseshoni yangoku kwixabiso phakathi kwe-5 kunye ne-60 imizuzu kwiphepha lezicwangciso. Ukuphuma ngokuzenzekelayo kuya kuqaliswa emva koku

Iingqwalasela zoKhuseleko 16

Iingqwalasela zoKhuseleko

HTTPS

ixesha. Iiseshoni ezininzi azivumelekanga kwibhrawuza enye. Elona nani liphezulu leeseshoni ezihambelanayo zimiselwe ku-30. Iphothali ye-NFVIS isebenzisa iikuki ukudibanisa idatha nomsebenzisi. Isebenzisa iimpawu zekuki ezilandelayo ukuqinisa ukhuseleko:
· i-ephemeral ukuqinisekisa ukuba i-cookie iphela xa i-browser ivaliwe · httpKuphela ukwenza i-cookie ingafumaneki kwi-JavaScript · i-proxy ekhuselekileyo yokuqinisekisa ukuba i-cookie inokuthunyelwa kuphela nge-SSL.
Nasemva kokuqinisekiswa, uhlaselo olunje ngeCross-Site Request Forgery (CSRF) lunokwenzeka. Kulo mzekelo, umsebenzisi wokugqibela angenza ngokungazi iintshukumo ezingafunwayo kwi web isicelo apho ziqinisekiswe khona ngoku. Ukuthintela oku, i-NFVIS isebenzisa iithokheni ze-CSRF ukuqinisekisa yonke i-REST API eceliweyo ngexesha leseshoni nganye.
URL Ukwalathisa kwakhona ngokwesiqhelo web abancedisi, xa iphepha lingafunyanwanga kwi web umncedisi, umsebenzisi ufumana umyalezo we-404; kumaphepha akhoyo, bafumana iphepha lokungena. Impembelelo yokhuseleko yale nto kukuba umhlaseli angenza i-brute force scan kwaye abone ngokulula ukuba ngawaphi amaphepha kunye neefolda ezikhoyo. Ukuthintela oku kwi-NFVIS, zonke azikho URLs eziphambi kwesixhobo IP ziqondiswe kwakhona kwiphepha lokungena kwisango ngekhowudi yempendulo yesimo esingama-301. Oku kuthetha ukuba nokuba kunjalo URL eceliwe ngumhlaseli, bayakuhlala befumana iphepha lokungena ukuze baziqinisekise. Zonke izicelo zeseva ye-HTTP zithunyelwa kwi-HTTPS kwaye zineentloko ezilandelayo eziqwalaselweyo:
· X-Content-Type-Options · X-XSS-Protection · Content-Security-Policy · X-Frame-Options · Strict-Transport-Security · Cache-Control
Iyayekisa iPortal Ufikelelo lweportal yeNFVIS yenziwe ngokungagqibekanga. Ukuba awucwangcisi ukusebenzisa i-portal, kuyacetyiswa ukuba ukhubaze ufikelelo lwe-portal usebenzisa lo myalelo:
Qwalasela i-terminal Indlela yokufikelela kwi-portal evaliweyo
Yonke idatha ye-HTTPS ukuya nokusuka kwi-NFVIS isebenzisa uKhuseleko loMaleko wezoThutho (TLS) ukunxibelelana kwinethiwekhi iphela. I-TLS ilandela i-Secure Socket Layer (SSL).

Iingqwalasela zoKhuseleko 17

HTTPS

Iingqwalasela zoKhuseleko
Ukuxhawula ngesandla kwe-TLS kubandakanya uqinisekiso ngexesha umxhasi eqinisekisa isiqinisekiso se-SSL somncedisi kunye nogunyaziwe wesatifikethi osikhiphileyo. Oku kuqinisekisa ukuba umncedisi ungubani na uthi, kwaye umxhasi usebenzisana nomnini wesizinda. Ngokungagqibekanga, i-NFVIS isebenzisa isatifikethi esizisayinileyo ukubonisa ubuni bayo kubaxumi bayo. Esi satifikethi sine-2048-bit isitshixo sikawonke-wonke sokwandisa ukhuseleko loguqulelo oluntsonkothileyo lwe-TLS, kuba amandla oguqulelo oluntsonkothileyo anxulumene ngokuthe ngqo nobungakanani besitshixo.
Ulawulo Lwesatifikethi I-NFVIS yenza isatifikethi se-SSL esizityikitye xa sihlohlwa okokuqala. Sesona senzo silungileyo sokhuseleko ukuthatha indawo yesi satifikethi ngesatifikethi esisebenzayo esisayinwe nguGunyaziwe weSatifikethi esithobelayo (CA). Sebenzisa la manyathelo alandelayo ukubuyisela isatifikethi esizisayinileyo esingagqibekanga: 1. Yenza isicelo sokuSayina seSatifikethi (CSR) kwiNFVIS.
Isicelo sokuSayina iSatifikethi (CSR) si a file kunye nebloko yombhalo okhowudiweyo onikwa uGunyaziwe weSatifikethi xa ufaka isicelo seSatifikethi se-SSL. Oku file iqulethe ulwazi olufanele ukuqukwa kwisatifikethi esifana negama lombutho, igama eliqhelekileyo (igama lesizinda), indawo, kunye nelizwe. I file ikwaqulethe isitshixo sikawonke-wonke ekufuneka sibandakanywe kwisatifikethi. I-NFVIS isebenzisa isitshixo sikawonke-wonke se-2048-bit ukususela ekubeni amandla oguqulelo oluntsonkothileyo aphezulu kunye nesayizi ephezulu yesitshixo. Ukuvelisa i-CSR kwi-NFVIS, sebenzisa lo myalelo ulandelayo:
nfvis# inkqubo yesatifikethi sokusayina-sicelo [igama eliqhelekileyo ilizwe-ikhowudi yendawo yombutho umbutho-iyunithi-igama lelizwe] I CSR file igcinwa njenge /data/intdatastore/download/nfvis.csr. . 2. Fumana isatifikethi se-SSL kwi-CA usebenzisa i-CSR. Kumamkeli wangaphandle, sebenzisa umyalelo wescp ukukhuphela iSicelo sokuSayina seSatifikethi.
[myhost:/tmp] > scp -P 22222 admin@ :/data/intdatastore/download/nfvis.csrfile-igama>
Qhagamshelana nogunyaziwe weSatifikethi ukukhupha isatifikethi esitsha somncedisi we-SSL usebenzisa le CSR. 3. Fakela iSatifikethi esiSayinwe yi-CA.
Ukusuka kwiseva yangaphandle, sebenzisa umyalelo we-scp ukulayisha isatifikethi file kwi-NFVIS kwidatha/intdatastore/uploads/ ulawulo.
[myhost:/tmp] > scp -P 22222 file> admin@ :/data/intdatastore/uploads
Faka isatifikethi kwiNFVIS usebenzisa lo myalelo ulandelayo.
Isiqinisekiso senkqubo ye-nfvis# indlela yokuhlohla file:///data/intdatastore/uploads/<certificate file>
4. Tshintshela ekusebenziseni iSatifikethi esiSayinwe yi-CA. Sebenzisa lo myalelo ulandelayo ukuqalisa ukusebenzisa isatifikethi esisayiniweyo se-CA endaweni yesatifikethi esizisayinileyo esingagqibekanga.

Iingqwalasela zoKhuseleko 18

Iingqwalasela zoKhuseleko

Ukufikelela kwi-SNMP

nfvis(config)# isatifikethi senkqubo yokusetyenziswa-isiqinisekiso-uhlobo lwesatifikethi ca-sayiniwe

Ukufikelela kwi-SNMP

I-Simple Network Management Protocol (SNMP) yi-Internet Standard protocol yokuqokelela kunye nokulungelelanisa ulwazi malunga nezixhobo ezilawulwayo kwiinethiwekhi ze-IP, kunye nokuguqula olo lwazi ukutshintsha ukuziphatha kwesixhobo.
Iinguqulelo ezintathu ezibalulekileyo zeSNMP ziye zaphuhliswa. I-NFVIS ixhasa i-SNMP uguqulelo 1, uguqulelo 2c kunye noguqulelo 3. SNMP iinguqulelo 1 kunye ne-2 zisebenzisa imitya yoluntu ukuqinisekiswa, kwaye ezi zithunyelwa ngokubhaliweyo okucacileyo. Ke, yeyona ndlela yokhuseleko yokhuseleko ukusebenzisa i-SNMP v3 endaweni yoko.
I-SNMPv3 ibonelela ngofikelelo olukhuselekileyo kwizixhobo ngokusebenzisa imiba emithathu: – abasebenzisi, uqinisekiso, kunye noguqulelo oluntsonkothileyo. I-SNMPv3 isebenzisa i-USM (iModyuli yoKhuseleko esekwe nguMsebenzisi) ukulawula ukufikelela kulwazi olufumaneka ngeSNMP. Umsebenzisi we-SNMP v3 uqwalaselwe ngohlobo lokuqinisekisa, uhlobo lwabucala kunye nebinzana lokugqithisa. Bonke abasebenzisi ababelana ngeqela basebenzisa inguqulelo ye-SNMP efanayo, nangona kunjalo, iisetingi zenqanaba lokhuseleko oluthile (igama lokugqitha, uhlobo lofihlo, njl.njl.) lucacisiwe ngomsebenzisi ngamnye.
Le theyibhile ilandelayo ishwankathela iinketho zokhuseleko ngaphakathi kweSNMP

Umzekelo

Inqanaba

Uqinisekiso

Ubhalo

Isiphumo

akukhoAuthNoPriv

Umtya Woluntu Nomb

Usebenzisa uluntu

umtya wokufanisa

uqinisekiso.

v2c

akukhoAuthNoPriv

Umtya Woluntu Nomb

Isebenzisa umdlalo womtya woluntu ukungqinisisa.

akukhoAuthNoPriv

Igama lomsebenzisi

Hayi

Isebenzisa igama lomsebenzisi

umdlalo we

uqinisekiso.

AuthNoPriv

Umyalezo Digest 5 No

Uyabonelela

(MD5)

uqinisekiso olusekwe

kwi HMAC-MD5-96 okanye

Khusela iHash

I-HMAC-SHA-96

Umgaqo-nkqubo (SHA)

algorithms.

Iingqwalasela zoKhuseleko 19

Izibhengezo zeZaziso ezisemthethweni

Iingqwalasela zoKhuseleko

Imodeli v3

Inqanaba le authPriv

Uqinisekiso lwe-MD5 okanye i-SHA

Ubhalo

Isiphumo

Ufihlo lwedatha Ibonelela

Umgangatho (DES) okanye ungqinisiso olusekwe

NONE

kwi

Encryption Standard HMAC-MD5-96 okanye

(AES)

I-HMAC-SHA-96

algorithms.

Ibonelela nge-DES i-algorithm ye-Cipher kwi-Cipher Block Chain Mode (CBC-DES)

I-algorithm yoguqulelo oluntsonkothileyo ye-AES esetyenziswa kwiMowudi ye-Cipher FeedBack (CFB), enobungakanani beqhosha le-128-bit (CFB128-AES-128)

Ukusukela oko yamkelwa yi-NIST, i-AES iye yaba yeyona algorithm ilawulayo kwi-encryption kulo lonke ishishini. Ukulandela ukufuduka koshishino kude ne-MD5 ukuya kwi-SHA, lolona qheliselo lulo lokhuseleko lokumisela i-SNMP v3 yokuqinisekisa iprothokholi njenge-SHA kunye neprothokholi yabucala njenge-AES.
Ukufumana iinkcukacha ezithe vetshe nge-SNMP bona, Intshayelelo malunga ne-SNMP

Izibhengezo zeZaziso ezisemthethweni
Kuyacetyiswa ukuba kubekho isaziso esisemthethweni kuzo zonke iiseshini ezisebenzisanayo ukuqinisekisa ukuba abasebenzisi bayaziswa ngomgaqo-nkqubo wokhuseleko onyanzeliswayo kwaye baphantsi kwawo. Kweminye imimandla, ukutshutshiswa komhlaseli oqhekeza inkqubo kulula, okanye kuyafuneka, ukuba isaziso somthetho sinikezelwe, ukwazisa abasebenzisi abangagunyaziswanga ukuba ukusetyenziswa kwabo akugunyaziswanga. Kwezinye iindawo, kunokungavunyelwa ukubeka esweni umsebenzi womsebenzisi ongagunyaziswanga ngaphandle kokuba baye bazisiwe ngenjongo yokwenza njalo.
Iimfuno zesaziso somthetho zintsonkothile kwaye ziyahluka kummandla ngamnye nakwimeko. Kwanaphakathi kwemimandla, iimbono zomthetho ziyahluka. Xoxa ngalo mba kunye nomcebisi wakho wezomthetho ukuze uqinisekise ukuba isaziso siyahlangabezana neemfuno zomthetho zenkampani, zasekhaya kunye nezamazwe ngamazwe. Oku kuhlala kubaluleke kakhulu ekuqinisekiseni isenzo esifanelekileyo kwimeko yokwaphulwa kokhuseleko. Ngentsebenziswano nomcebisi wezomthetho wenkampani, iingxelo ezinokuthi zibandakanywe kwibhena yesaziso somthetho ziquka:
· Isaziso sokuba ukufikelela nokusetyenziswa kwenkqubo kuvunyelwe kuphela ngabasebenzi abagunyazisiweyo, kwaye mhlawumbi nolwazi malunga nokuba ngubani na onokugunyazisa ukusetyenziswa.
· Isaziso sokuba ukufikelela nokusetyenziswa okungagunyaziswanga kwenkqubo akukho mthethweni, kwaye kusenokuba phantsi kwezohlwayo zoluntu kunye/okanye zolwaphulo-mthetho.
· Isaziso sokuba ufikelelo nokusetyenziswa kwenkqubo kungalogwa okanye kubekwe iliso ngaphandle kwesaziso esongezelelweyo, kwaye iilogi eziphumayo zingasetyenziswa njengobungqina enkundleni.
· Izaziso ezongezelelweyo ezikhethekileyo ezifunwa yimithetho ethile yendawo.

Iingqwalasela zoKhuseleko 20

Iingqwalasela zoKhuseleko

Ukuseta ngokutsha okuMiselweyo kwasefektri

Ukusuka kwindawo yokhuseleko endaweni yomthetho view, ibhena yesaziso somthetho akufuneki iqulathe naluphi na ulwazi malunga nesixhobo, njengegama laso, imodeli, isoftwe, indawo, umsebenzisi okanye umnini kuba olu hlobo lolwazi lunokuba luncedo kumhlaseli.
Oku kulandelayo kunjeampibhena yesaziso esisemthethweni esinokuboniswa ngaphambi kokungena:
UKUFIKELELA OKUNGAGUMAMANGA KWESI sixhobo AKUVELEKANGA Kufuneka ube nemvume ecacileyo, egunyazisiweyo yokufikelela okanye uqwalasele esi sixhobo. Iinzame ezingagunyaziswanga kunye nezenzo zokufikelela okanye ukusetyenziswa
Le nkqubo inokukhokelela kwizohlwayo zoluntu kunye/okanye zolwaphulo-mthetho. Yonke imisebenzi eyenziwa kwesi sixhobo ifakiwe kwaye ibekwe esweni

Qaphela: Nikela isaziso esisemthethweni esivunywe ngumcebisi wezomthetho wenkampani.
I-NFVIS ivumela uqwalaselo lwebhanile kunye noMyalezo woSuku (MOTD). Ibhanile iboniswa phambi kokuba umsebenzisi angene. Xa umsebenzisi eloga kwi-NFVIS, i-banner echazwe kwinkqubo ibonelela ngolwazi lweCopyright malunga neNFVIS, kunye nomyalezo-wemini (MOTD), ukuba iqwalaselwe, iya kuvela, ilandelwe Umyalelo welayini yomyalelo okanye i-portal view, kuxhomekeke kwindlela yokungena.
Kuyacetyiswa ukuba ibhena yokungena iphunyezwe ukuqinisekisa ukuba isaziso esisemthethweni sinikezelwe kuzo zonke iiseshoni zofikelelo lolawulo lwesixhobo phambi kokwaziswa kokungena. Sebenzisa lo myalelo ukuqwalasela ibhena kunye ne-MOTD.
nfvis(config)# ibhanile-motd ibhanile motd
Ngolwazi oluthe kratya malunga nomyalelo webhena, jonga Qwalasela iBhana, Umyalezo wosuku kunye nexesha leNkqubo.

Ukuseta ngokutsha okuMiselweyo kwasefektri
Ukuseta kabusha iFactory kususa yonke idatha ethe ngqo yomthengi eyongezwe kwisixhobo ukusukela ngexesha lokuthunyelwa kwayo. Idatha ecinyiweyo ibandakanya ulungelelwaniso, log files, imifanekiso ye-VM, ulwazi loqhagamshelwano, kunye nenkcazi zokungena zomsebenzisi.
Inika umyalelo omnye wokuseta kwakhona isixhobo kwisetingi zasefektri-yoqobo, kwaye iluncedo kwezi meko zilandelayo:
· Buyisela uGunyaziso lweMathiriyeli (RMA) kwisixhobo–Ukuba kufuneka ubuyisele isixhobo kwiCisco ye-RMA, sebenzisa ukusetha ngokutsha kweFactory Default ukususa yonke idatha ethe ngqo yabathengi.
· Ukufumana isixhobo esisengozini– Ukuba imathiriyeli engundoqo okanye iinkcukacha ezigcinwe kwisixhobo zichaphazelekile, phinda usete isixhobo kwisimo sasefektri emva koko usimisele ngokutsha isixhobo.
· Ukuba isixhobo esinye sifuna ukuphinda sisetyenziswe kwindawo eyahlukileyo ngolungelelwaniso olutsha, yenza ukusetwa ngokutsha kweFactory Default ukususa ubumbeko obusele bukhona kwaye buzise kwimeko ecocekileyo.

I-NFVIS ibonelela ngolu khetho lulandelayo phakathi kokusetha ngokutsha okungagqibekanga kweFactory:

Ukhetho lokuSeta kwakhona kwiFactory

Idatha Icinyiwe

Idatha igciniwe

zonke

Lonke uqwalaselo, umfanekiso olayishiweyo I-akhawunti yomlawuli igcinwa kwaye

files, VMs kunye neelog.

igama lokugqitha lizakutshintshwa libe kwi

Uqhagamshelo kwisixhobo luya kuba ligama eligqithisiweyo elingagqibekanga lasefektri.

ilahlekile.

Iingqwalasela zoKhuseleko 21

Uthungelwano loLawulo lweziSeko ezinguNdoqo

Iingqwalasela zoKhuseleko

Ukhetho lokuseta kwakhona kwiFactory yonke-ngaphandle kwemifanekiso
zonke-ngaphandle-imifanekiso-uqhagamshelwano
imveliso

Idatha Icinyiwe

Idatha igciniwe

Lonke ubumbeko ngaphandle kobumbeko lomfanekiso, olubhalisiweyo

uqwalaselo, iiVMs, kunye nemifanekiso elayishiweyo kunye neelog

umfanekiso files.

Iakhawunti yomlawuli iyagcinwa kwaye

Uqhagamshelo kwisixhobo iya kuba igama eligqithisiweyo liya kutshintshwa kwi

ilahlekile.

Igama lokugqitha elimiselweyo.

Lonke ubumbeko ngaphandle komfanekiso, iMifanekiso, inethiwekhi kunye noqhagamshelwano

inethiwekhi kunye noqhagamshelwano

uqwalaselo olunxulumeneyo, olubhalisiweyo

uqwalaselo, iiVMs, kunye nemifanekiso elayishiweyo, kunye neelog.

umfanekiso files.

Iakhawunti yomlawuli iyagcinwa kwaye

Uqhagamshelo kwisixhobo

umlawuli oqwalaselwe ngaphambili

ekhoyo.

igama lokugqitha liyakugcinwa.

Lonke uqwalaselo ngaphandle kobumbeko lomfanekiso, iiVMs, umfanekiso olayishiweyo files, kunye nezigodo.
Uqhagamshelo kwisixhobo luya kulahleka.

Uqwalaselo olunxulumene nomfanekiso kunye nemifanekiso ebhalisiweyo
I-akhawunti yomlawuli igciniwe kwaye igama eliyimfihlo liya kutshintshwa kwi-password engagqibekanga yasefektri.

Umsebenzisi kufuneka akhethe ukhetho olufanelekileyo ngononophelo olusekwe kwinjongo yokusetwa ngokutsha kweFactory Default. Ngolwazi oluthe vetshe, jonga Ukuseta kwakhona kwiFactory eMiselweyo.

Uthungelwano loLawulo lweziSeko ezinguNdoqo
Uthungelwano lolawulo lweziseko ezingundoqo lubhekiselele kuthungelwano oluthwele ulawulo nolawulo lwetrafikhi yenqwelo-moya (efana ne-NTP, i-SSH, i-SNMP, i-syslog, njl.njl.) kwizixhobo zeziseko zophuhliso. Ukufikelela kwisixhobo kunokubakho nge-console, kunye nange-Ethernet interfaces. Olu lawulo kunye nolawulo lwetrafikhi yenqwelomoya lubalulekile kwimisebenzi yenethiwekhi, ibonelela ngokubonakala kunye nokulawula kwinethiwekhi. Ngenxa yoko, uthungelwano lolawulo lweziseko ezingundoqo oluyilwe kakuhle nolukhuselekileyo lubalulekile kukhuseleko lulonke kunye nokusebenza kothungelwano. Esinye sezindululo eziphambili kuthungelwano olukhuselekileyo lolawulo lweziseko ezingundoqo kukuhlukana kolawulo kunye nedatha yedatha ukwenzela ukuba kuqinisekiswe ulawulo olukude naphantsi komthwalo ophezulu kunye neemeko eziphezulu zezithuthi. Oku kunokufezekiswa ngokusebenzisa ujongano lolawulo oluzinikeleyo.
Oku kulandelayo ziindlela zokuphumeza uthungelwano lolawulo lweZiseko zoPhuhliso:
Ulawulo olungaphandle kwebhendi
Uthungelwano lwe-Out-of-band Management (OOB) lubandakanya uthungelwano oluzimeleyo ngokupheleleyo nolwahlukileyo ngokwasemzimbeni kuthungelwano lwedatha olunceda ukulawula. Oku kwakhona ngamanye amaxesha kuthiwa yiNethiwekhi yoNxibelelwano lweDatha (DCN). Izixhobo zenethiwekhi zinokuqhagamshela kwinethiwekhi ye-OOB ngeendlela ezahlukeneyo: I-NFVIS ixhasa ujongano lolawulo olwakhelwe ngaphakathi olunokusetyenziswa ukuqhagamshela kwinethiwekhi ye-OOB. I-NFVIS ivumela uqwalaselo lojongano oluchazwe kwangaphambili lomzimba, izibuko leMGMT kwi-ENCS, njengojongano lolawulo oluzinikeleyo. Ukukhawulela iipakethi zolawulo kujongano oluchongiweyo lubonelela ngolawulo olukhulu kulawulo lwesixhobo, ngaloo ndlela kubonelela ngokhuseleko olongezelelekileyo kweso sixhobo. Ezinye izibonelelo zibandakanya ukuphuculwa kokusebenza kweepakethi zedatha kwi-interfaces ezingezona zolawulo, inkxaso ye-network scalability,

Iingqwalasela zoKhuseleko 22

Iingqwalasela zoKhuseleko

IPseudo out-of-band Management

imfuno yoluhlu lolawulo lofikelelo olumbalwa (ACLs) ukunqanda ufikelelo kwisixhobo, kunye nothintelo lwepakethi yolawulo lwezikhukhula ekufikeleleni kwi-CPU. Izixhobo zeNethiwekhi zinokuqhagamshela kwinethiwekhi ye-OOB ngokusebenzisa ujongano lwedatha olunikezelweyo. Kule meko, ii-ACLs kufuneka zimiselwe ukuqinisekisa ukuba i-traffic yolawulo iphathwa kuphela yi-interfaces ezinikeleyo. Ngolwazi oluthe vetshe, jonga Ukuqwalasela i-IP Receive ACL kunye nePort 22222 kunye ne-Management Interface ACL.
IPseudo out-of-band Management
Inethiwekhi yolawulo lwe-pseudo out-of-band isebenzisa isiseko somzimba esifanayo njengenethiwekhi yedatha kodwa ibonelela ngokwahlukana okunengqiqo ngokuhlukana kwetrafikhi, ngokusebenzisa iiVLAN. I-NFVIS ixhasa ukudala ii-VLAN kunye neebhulorho ezibonakalayo ukunceda ukuchonga imithombo eyahlukeneyo yendlela kunye nokwahlula i-traffic phakathi kwe-VMs. Ukuba neebhulorho ezihlukeneyo kunye neeVLAN zahlula uthungelwano lwedatha yomatshini wenyani kunye nothungelwano lolawulo, ngaloo ndlela kubonelela ngecandelo lezendlela phakathi kweVM kunye nenginginya. Ngolwazi oluthe vetshe, jonga i-VLAN yokuQinisekisa i-VLAN ye-NFVIS yoLawulo lweTrafikhi.
Ulawulo lwangaphakathi
Inethiwekhi yolawulo lwe-band isebenzisa iindlela ezifanayo zomzimba kunye nengqiqo njenge-traffic data. Ekugqibeleni, olu yilo lwenethiwekhi lufuna uhlalutyo lomthengi ngamnye lomngcipheko ngokuchasene neenzuzo kunye neendleko. Ezinye iingqwalasela jikelele ziquka:
· Uthungelwano oluzimeleyo lolawulo lwe-OOB lukhulisa ukubonakala kunye nolawulo kuthungelwano nangexesha leziganeko eziphazamisayo.
· Ukusasaza i-telemetry yenethiwekhi ngaphezulu kwenethiwekhi ye-OOB kunciphisa ithuba lokuphazamiseka kolwazi olunika ukubonakala kwenethiwekhi okubalulekileyo.
· Ukufikelela kulawulo lwe-in-band kwiziseko zoncedo zothungelwano, inginginya, njl. Ulawulo lwe-QoS olufanelekileyo kufuneka lubekwe ukuze kuncitshiswe esi sehlo.
· Ujongano lweempawu zeNFVIS ezinikezelwe kulawulo lwesixhobo, kubandakanywa izibuko ze-serial console kunye nojongano lolawulo lwe-Ethernet.
· Uthungelwano lolawulo lwe-OOB lunokubekwa ngokwesiqhelo ngexabiso elifanelekileyo, kuba ukugcwala kothungelwano lolawulo aludli ngokufuna i-bandwidth ephezulu okanye izixhobo zokusebenza eziphezulu, kwaye kufuna kuphela ukuxinana kwezibuko okwaneleyo ukuxhasa uqhagamshelo kwisixhobo ngasinye seziseko ezingundoqo.
Ukhuseleko lolwazi olugcinwe ekuhlaleni
Ukukhusela Ulwazi Olunovakalelo
I-NFVIS igcina ulwazi olubuthathaka ekuhlaleni, kuquka amagama ayimfihlo kunye neemfihlo. Amagama okugqithisa kufuneka agcinwe kwaye alawulwe ngumncedisi we-AAA ophakathi. Nangona kunjalo, nokuba umncedisi we AAA ubekwe kwindawo esembindini, amanye amagama agqithisiweyo agcinwe ekuhlaleni ayafuneka kwiimeko ezithile ezinje ngokubuyela umva kwendawo kwimeko yeeseva ze-AAA azifumaneki, amagama asetyenziswayo akhethekileyo, njl njl.

Iingqwalasela zoKhuseleko 23

File Udluliselo

Iingqwalasela zoKhuseleko

ulwazi lugcinwe kwi-NFVIS njengee-hashes ukuze kungenzeki ukubuyisela iziqinisekiso zokuqala kwinkqubo. I-Hashing yinto eqhelekileyo yoshishino eyamkelekileyo.

File Udluliselo
Files enokufuna ukukhutshelwa kwizixhobo zeNFVIS ziquka umfanekiso weVM kunye nophuculo lweNFVIS files. Ugqithiso olukhuselekileyo lwe files ibalulekile kukhuseleko lweziseko zothungelwano. I-NFVIS ixhasa iKopi eKhuselekileyo (SCP) ukuqinisekisa ukhuseleko lwe file ugqithiselo. I-SCP ixhomekeke kwi-SSH kuqinisekiso olukhuselekileyo kunye nothutho, ivumela ukukhutshelwa okukhuselekileyo nokuqinisekiswa files.
Ikopi ekhuselekileyo esuka kwiNFVIS iqalwa ngomyalelo wescp. Umyalelo okhuselekileyo wekopi (scp) uvumela kuphela umsebenzisi womlawuli ukuba akhuphele ngokukhuselekileyo files ukusuka kwiNFVIS ukuya kwinkqubo yangaphandle, okanye ukusuka kwinkqubo yangaphandle ukuya kwiNFVIS.
Isivakalisi somyalelo we-scp sithi:
scp
Sisebenzisa izibuko 22222 kwiseva ye-NFVIS SCP. Ngokungagqibekanga, elizibuko livaliwe kwaye abasebenzisi abanako ukukhusela ikopi files kwiNFVIS evela kumxhasi wangaphandle. Ukuba kukho imfuneko ye-SCP a file kumxhasi wangaphandle, umsebenzisi angavula izibuko esebenzisa:
useto lwenkqubo ip-receive-acl (idilesi)/(imask lenth) inkonzo scpd ephambili (inombolo) isenzo samkelwa
zibophelele
Ukuthintela abasebenzisi ekufikeleleni kubalawuli benkqubo, ikopi ekhuselekileyo inokwenziwa kuphela okanye kwi-intdatastore:, extdatastore1:, extdatastore2:, usb: kunye ne-nfs:, ukuba ikhona. Ikopi ekhuselekileyo inokwenziwa kwilog: kunye ne-techsupport:

Ukugawulwa kwemithi

Ufikelelo lwe-NFVIS kunye notshintsho loqwalaselo lulogiwe njengeelogi zophicotho-zincwadi ukurekhoda olu lwazi lulandelayo: · Ngubani ofikelele kwisixhobo · Ungene nini umsebenzisi · Wenza ntoni umsebenzisi ngokubhekiselele kuqwalaselo longingi kunye nomjikelo wobomi weVM · Ulogishe lomsebenzisi Valiwe · Iinzame zofikelelo aziphumelelanga · Izicelo zoqinisekiso aziphumelelanga · Izicelo zogunyaziso ezingaphumelelanga
Olu lwazi luxabiseke kakhulu kuhlalutyo lwasenkundleni kwimeko yeenzame okanye ukufikelela okungagunyaziswanga, ngokunjalo nakwimiba yotshintsho kulungiselelo kunye nokunceda isicwangciso sotshintsho lolawulo lweqela. Isenokusetyenziswa ixesha lokwenyani ukuchonga imisebenzi engaqhelekanga enokuthi ibonise ukuba uhlaselo luyenzeka. Olu hlalutyo lunokudityaniswa nolwazi oluvela kwimithombo eyongezelelweyo yangaphandle, njenge-IDS kunye ne-firewall logs.

Iingqwalasela zoKhuseleko 24

Iingqwalasela zoKhuseleko

Ukhuseleko lomatshini obonakalayo

Zonke iziganeko eziphambili kwi-NFVIS zithunyelwa njengezaziso zesiganeko kubabhalisi be-NETCONF nanjengeesyslog kumncedisi wokuloga ophakathi. Ngolwazi oluthe vetshe ngemiyalezo yesyslog kunye nezaziso zesiganeko, bona iSihlomelo.
Ukhuseleko lomatshini obonakalayo
Eli candelo lichaza iimpawu zokhuseleko ezinxulumene nobhaliso, ukusasazwa kunye nokusebenza koomatshini ababonakalayo kwi-NFVIS.
VNF ekhuselekileyo yokuqalisa
I-NFVIS ixhasa i-Firmware yoMatshini oVulekileyo (OVMF) ukwenza i-UEFI ikhuseleke i-UEFI yoomatshini abaxhasa ukuqaliswa ngokukhuselekileyo. I-VNF Secure boot iqinisekisa ukuba umaleko ngamnye we-software ye-VM usayiniwe, ukuquka isilayidi sekhompyutha, inkqubo yokusebenza yekernel, kunye nabaqhubi benkqubo esebenzayo.

Ngolwazi oluthe kratya, bona, Secure Boot of VNFs.
UKhuseleko loFikelelo lweConsole yeVNC
I-NFVIS ivumela umsebenzisi ukuba enze iseshoni yeKhompyutha yeNethiwekhi ebonakalayo (VNC) ukufikelela kwidesktop ebekwe kude yeVM. Ukwenza oku, i-NFVIS ivula ngokuguquguqukayo izibuko apho umsebenzisi anokudibanisa esebenzisa eyakhe web umkhangeli zincwadi. Eli zibuko lishiywe livuliwe kuphela imizuzwana engama-60 kumncedisi wangaphandle ukuba aqalise iseshoni kwi-VM. Ukuba akukho msebenzi ubonwayo ngeli xesha, izibuko livaliwe. Inombolo yezibuko yabelwe ngokutshintshayo kwaye ngaloo ndlela ivumela ufikelelo lwexesha elinye kuphela kwi-console yeVNC.
nfvis# vncconsole qalisa ukusasaza-igama 1510614035 vm-igama ROUTER vncconsole-url :6005/vnc_auto.html
Yalatha isikhangeli sakho ku-https:// :6005/vnc_auto.html iyakuqhagamshela kwi-ROUTER VM's VNC console.
Iingqwalasela zoKhuseleko 25

I-Encrypted VM config data variables

Iingqwalasela zoKhuseleko

I-Encrypted VM config data variables
Ngexesha lokusasazwa kwe-VM, umsebenzisi unikezela ngokucwangciswa kwemini-0 file yeVM. Oku file ingaqulatha ulwazi olubuthathaka olufana namagama ayimfihlo kunye namaqhosha. Ukuba olu lwazi lugqithiselwe njengombhalo ocacileyo, luvela kwilog files kunye neerekhodi zedatha yangaphakathi kwisicatshulwa esicacileyo. Eli nqaku livumela umsebenzisi ukuba afake iflegi yedatha yoqwalaselo njengovakalelo ukuze ixabiso layo liguqulelwe ngokuntsonkothileyo kusetyenziswa ufihlo lwe-AES-CFB-128 phambi kokuba lugcinwe okanye lugqithiselwe kwiinkqubo ezisezantsi zangaphakathi.
Ngolwazi oluthe kratya, bona, iiParamitha zokuBekwa kweVM.
Ukuqinisekiswa kwe-Checksum yoBhaliso loMfanekiso olukude
Ukubhalisa umfanekiso weVNF obekwe kude, umsebenzisi uchaza indawo yawo. Umfanekiso uya kufuna ukukhutshelwa kumthombo wangaphandle, njengeseva ye-NFS okanye iseva ye-HTTPS ekude.
Ukwazi ukuba ikhutshelwe file kukhuselekile ukufaka, kubalulekile ukuthelekisa i file's checksum phambi kokuba uyisebenzise. Ukuqinisekisa itshekhisum kunceda ukuqinisekisa ukuba file ayonakaliswa ngexesha lothumelo lwenethiwekhi, okanye ilungiswe ngumntu wesithathu okhohlakeleyo phambi kokuba uyikhuphele.
I-NFVIS ixhasa i-checksum kunye ne-checksum_algorithm iinketho zomsebenzisi ukunika i-checksum elindelekileyo kunye ne-algorithm ye-checksum (SHA256 okanye i-SHA512) ukuba isetyenziswe ukungqinisisa i-checksum yomfanekiso okhutshelweyo. Ukwenziwa komfanekiso kuyasilela ukuba i-checksum ayihambelani.
Ukuqinisekiswa kweSiqinisekiso soBhaliso lweMifanekiso ekude
Ukubhalisa umfanekiso we-VNF obekwe kwiseva ye-HTTPS, umfanekiso uya kufuna ukukhutshelwa kwiseva ye-HTTPS ekude. Ukukhuphela ngokukhuselekileyo lo mfanekiso, i-NFVIS iqinisekisa isiqinisekiso se-SSL somncedisi. Umsebenzisi kufuneka achaze nokuba yindlela eya kwisatifikethi file okanye imixholo yesatifikethi se-PEM sokwenza oku kukhutshelwa okukhuselekileyo.
Iinkcukacha ezithe vetshe zinokufumaneka kwiCandelo lokuqinisekiswa kwesatifikethi sobhaliso lomfanekiso
Ukwahlulwa kwe-VM kunye nokubonelela ngeZibonelelo
I-Network Function Virtualization (NFV) uyilo luquka:
· Imisebenzi yenethiwekhi yeVirtualized (VNFs), eyi-Virtual Machines eqhuba usetyenziso lwesoftware ehambisa umsebenzi wothungelwano olufana nerutha, i-firewall, i-balancer yomthwalo, njalo njalo.
· Imisebenzi yothungelwano lweziseko ezingundoqo, ezibandakanya amacandelo eziseko zophuhliso-ikhompyutha, inkumbulo, ugcino, kunye nothungelwano, kwiqonga elixhasa isoftware efunekayo kunye ne-hypervisor.
Nge-NFV, imisebenzi yothungelwano yenziwa ngokwenyani ukuze imisebenzi emininzi iqhutywe kumncedisi omnye. Ngenxa yoko, i-hardware encinci yomzimba iyadingeka, evumela ukuhlanganiswa kwezixhobo. Kule meko, kubalulekile ukulinganisa izixhobo ezinikezelweyo zeVNF ezininzi ukusuka kwinkqubo enye, yehardware yomzimba. Kusetyenziswa i-NFVIS, ii-VMs zinokumiselwa ngendlela elawulwayo ukuze i-VM nganye ifumane izibonelelo ezizifunayo. Izixhobo zokusebenza zahlulahlulwe njengoko zifuneka ukusuka kwindawo ebonakalayo ukuya kwiindawo ezininzi ezibonakalayo. Imimandla ye-VM yodwa ibekwe yodwa ngoko yahluka, yahlukile, neendawo ezikhuselekileyo, ezingakhuphisaniyo ngezibonelelo ekwabelwana ngazo.
Ii-VM azikwazi ukusebenzisa izixhobo ezingaphezulu kunezinikezelweyo. Oku kuthintela imeko yoKwala iNkonzo evela kwi-VM enye itya izibonelelo. Ngenxa yoko, i-CPU, imemori, inethiwekhi kunye nokugcinwa kukhuselwe.

Iingqwalasela zoKhuseleko 26

Iingqwalasela zoKhuseleko
Ukwahlulwa kweCPU

Ukwahlulwa kweCPU

Inkqubo ye-NFVIS igcina iicores zesoftware yeziseko ezingundoqo esebenza kumamkeli. Ezinye ii-cores ziyafumaneka kwi-VM deployment. Oku kuqinisekisa ukuba ukusebenza kwe-VM akuchaphazeli ukusebenza komnini we-NFVIS. Ii-VM ezisezantsi ze-NFVIS zinika ngokucacileyo ii-cores ezizinikezeleyo kwii-VM ezisezantsi ezifakwe kuyo. Ukuba i-VM ifuna ii-vCPU ezi-2, inikwe ii-cores ezi-2 ezizinikeleyo. Oku kuthintela ukwabelana kunye nokubhaliswa ngokugqithisileyo kwee-cores kwaye iqinisekisa ukusebenza kwee-VM ezisezantsi. Ukuba inani lee-cores ezikhoyo lingaphantsi kwenani le-vCPU ezicelwe yenye i-VM ephantsi-latency, ukuthunyelwa kuthintelwe ekubeni singenazo izixhobo ezaneleyo. Ii-VM ezingabambekiyo ezisezantsi I-NFVIS yabela ii-CPU ezinokwabiwa kwii-VM ezingabambekiyo. Ukuba i-VM ifuna ii-vCPU ezi-2, inikwe ii-CPU ezi-2. Ezi zi-2 CPUs zabelwana ngazo phakathi kwezinye ii-VM ezingezizo ezisezantsi. Ukuba inani le-CPUs ezikhoyo lingaphantsi kwenani le-vCPU ezicelwe yenye i-VM engeyiyo i-latency ephantsi, ukusasazwa kusavunyelwe kuba le VM izakwabelana nge-CPU kunye nee-VM ezikhoyo ezingekho phantsi kwe-latency.
Ulwabiwo lweMemori
I-NFVIS Infrastructure ifuna umyinge othile wenkumbulo. Xa i-VM isetyenzisiwe, kukho itshekhi yokuqinisekisa ukuba imemori ekhoyo emva kokugcina imemori efunekayo kwiziseko ezingundoqo kunye nee-VM ezifakwe ngaphambili, zanele kwi-VM entsha. Asikuvumeli ubhaliso olugqithileyo lwememori kwii-VMs.
Iingqwalasela zoKhuseleko 27

Ukwahlulwa kweNdawo yokuGcina
Ii-VMs azivumelekanga ukuba zifikelele ngokuthe ngqo kumamkeli file inkqubo kunye nokugcinwa.
Ukwahlulwa kweNdawo yokuGcina

Iingqwalasela zoKhuseleko

Iqonga le-ENCS lixhasa i-datastore yangaphakathi (M2 SSD) kunye neediski zangaphandle. I-NFVIS ifakwe kwi-datastore yangaphakathi. Ii-VNFs nazo zingasetyenziswa kule datastore yangaphakathi. Lukhuseleko lolona qheliselo lokugcinwa kwedatha yabathengi kunye nokubeka isicelo somthengi oomatshini ababonakalayo kwiidiski zangaphandle. Ukuba neediski ezahlulwe ngokwasemzimbeni zesixokelelwano files vs isicelo files inceda ukukhusela idatha yenkqubo kurhwaphilizo kunye nemiba yokhuseleko.
·
Ukwahlulwa kweNdibaniselwano
Ingcambu eyodwa ye-I / O Virtualization okanye i-SR-IOV yinkcazo evumela ukuba yedwa kwezixhobo ze-PCI Express (PCIe) ezifana ne-Ethernet port. Ukusebenzisa i-SR-IOV i-port ye-Ethernet enye inokwenziwa ukuba ibonakale njengezixhobo ezininzi, ezihlukeneyo, ezibonakalayo ezibizwa ngokuba yiMisebenzi ebonakalayo. Zonke izixhobo ze-VF kule adaptha zabelana nge-port yenethiwekhi yomzimba efanayo. Undwendwe lunokusebenzisa enye okanye ngaphezulu kule Misebenzi yeVirtual. Umsebenzi obonakalayo ubonakala kundwendwe njengekhadi lomsebenzi womnatha, ngendlela efanayo nekhadi eliqhelekileyo lomsebenzi womnatha eliya kubonakala kwinkqubo yokusebenza. Imisebenzi ebonakalayo inomsebenzi osondeleyo kwaye ibonelela ngokusebenza okungcono kunabaqhubi be-para-virtualized kunye nokufikelela okufanisiweyo. Imisebenzi ebonakalayo ibonelela ngokhuseleko lwedatha phakathi kweendwendwe kumncedisi womzimba ofanayo njengoko idatha ilawulwa kwaye ilawulwa yi-hardware. I-NFVIS VNFs inokusebenzisa iinethiwekhi ze-SR-IOV ukuqhagamshela kwi-WAN kunye ne-LAN Backplane port.
Iingqwalasela zoKhuseleko 28

Iingqwalasela zoKhuseleko

Umjikelo woBomi oKhuselekileyo

I-VM nganye enjalo iphethe ujongano olubonakalayo kunye nezibonelelo zayo ezinxulumeneyo ezifezekisa ukhuseleko lwedatha phakathi kwee-VM.
Umjikelo woBomi oKhuselekileyo
I-NFVIS ilandela iSecure Development Lifecycle (SDL) yesoftware. Le yinkqubo ephindaphindwayo, enokulinganiswa eyenzelwe ukunciphisa ubuthathaka kunye nokuphucula ukhuseleko kunye nokomelela kwezisombululo zeCisco. I-Cisco SDL isebenzisa iindlela ezikhokelayo kwishishini kunye netekhnoloji yokwakha izisombululo ezithembekileyo ezineziganeko ezimbalwa zokhuseleko lwemveliso. Lonke ukhupho lweNFVIS luhamba kwezi nkqubo zilandelayo.
· Ukulandela iCisco-yangaphakathi kunye neeMfuno zoKhuseleko lweMveliso ezisekelwe kwimarike · Ukubhalisa isoftware yeqela lesithathu kunye nendawo yokugcina ephakathi eCisco yokulandelela ubuthathaka · Ukufakwa rhoqo kwesoftware kunye nezilungiso ezaziwayo zeCVEs. · Ukuyila isoftwe ngoKhuseleko engqondweni · Ukulandela izenzo ezikhuselekileyo zekhowudi ezinjengokusebenzisa iimodyuli zokhuseleko eziqhelekileyo ezivavanyiweyo njengeCiscoSSL, isebenza
Uhlahlelo olungaguquguqukiyo kunye nokuphunyezwa kwegalelo lokuqinisekisa uThintelo lokutofa komyalelo, njalo njalo. · Ukusebenzisa izixhobo zoKhuseleko lweSicelo ezifana ne-IBM AppScan, iNessus, kunye nezinye izixhobo zangaphakathi zeCisco.

Iingqwalasela zoKhuseleko 29

Umjikelo woBomi oKhuselekileyo

Iingqwalasela zoKhuseleko

Iingqwalasela zoKhuseleko 30

Amaxwebhu / Izibonelelo

I-CISCO Enterprise Network Function Virtualization Infrastructure Software [pdf] Isikhokelo somsebenzisi
Umsebenzi weNethiwekhi yeVirtualization yeSoftware yeSiseko soBuchule, uShishino, uMsebenzi woMsebenzi weNethiwekhi yeVirtualization Infrastructure Software, Virtualization Infrastructure Software, Infrastructure Software.

Iimbekiselo

Incwadi yokusebenzisa

I-Software yeSiseko seSiseko soMsebenzi woMnatha woShishino

Ulwazi lweMveliso

Iinkcukacha

Iingqwalasela zoKhuseleko

Ukuhlohla

Khusela i-Boot

Khusela uchongo lwesiXhobo esiSahlukileyo (SUDI)

FAQ

Umbuzo: Yintoni i-NFVIS?

Q: Ndingakuqinisekisa njani ukuthembeka komfanekiso we-NFVIS ISO okanye
phucula umfanekiso?

Umbuzo: Ngaba ukuqalisa okukhuselekileyo kwenziwe ngokungagqibekanga kwi-ENCS?

Q: Yintoni injongo yeSUDI kwiNFVIS?

Amaxwebhu / Izibonelelo

Iimbekiselo

Shiya uluvo

Rhoxisa impendulo

I-Software yeSiseko seSiseko soMsebenzi woMnatha woShishino

Ulwazi lweMveliso

Iinkcukacha

Iingqwalasela zoKhuseleko

Ukuhlohla

Khusela i-Boot

Khusela uchongo lwesiXhobo esiSahlukileyo (SUDI)

FAQ

Umbuzo: Yintoni i-NFVIS?

Q: Ndingakuqinisekisa njani ukuthembeka komfanekiso we-NFVIS ISO okanye phucula umfanekiso?

Umbuzo: Ngaba ukuqalisa okukhuselekileyo kwenziwe ngokungagqibekanga kwi-ENCS?

Q: Yintoni injongo yeSUDI kwiNFVIS?

Amaxwebhu / Izibonelelo

Iimbekiselo

Izithuba eziyeleleneyo

Shiya uluvo

Rhoxisa impendulo

Q: Ndingakuqinisekisa njani ukuthembeka komfanekiso we-NFVIS ISO okanye
phucula umfanekiso?