Hoton Tamper Kariya: RPM sa hannu da tabbatar da sa hannu
don duk fakitin RPM a cikin ISO da haɓaka hotuna.
Sa hannun RPM: Duk fakitin RPM a cikin Kasuwancin Cisco NFVIS ISO
kuma an sanya hannu kan haɓaka hotuna don tabbatar da amincin sirri da
gaskiya.

Tabbatar da Sa hannun RPM: Sa hannun duk fakitin RPM shine
tabbatarwa kafin shigarwa ko haɓakawa.
Tabbatar da Mutuncin Hoto: Hash na hoton Cisco NFVIS ISO
kuma ana buga hoton haɓaka don tabbatar da amincin ƙarin
ba-RPM files.

ENCS Secure Boot: Sashe na daidaitattun UEFI, yana tabbatar da cewa
takalman na'ura kawai ta amfani da amintaccen software.
Amintaccen Ƙwararren Ƙwararren Na'ura (SUDI): Yana ba da na'urar
tare da ma'auni marar canzawa don tabbatar da gaskiyarsa.

Shigarwa

Don shigar da software na NFVIS, bi waɗannan matakan:

Tabbatar cewa hoton software bai kasance tamptare da by
tabbatar da sa hannun sa da amincin sa.

Idan amfani da Cisco Enterprise NFVIS 3.7.1 kuma daga baya, tabbatar da hakan
tabbacin sa hannu yana wucewa yayin shigarwa. Idan ta kasa,
za a zubar da shigarwa.
Idan haɓakawa daga Kasuwancin Cisco NFVIS 3.6.x zuwa Saki
3.7.1, ana tabbatar da sa hannun RPM yayin haɓakawa. Idan da
Tabbatar da sa hannu ya gaza, an shigar da kuskure amma haɓakawa shine
kammala.

Idan haɓakawa daga Sakin 3.7.1 zuwa sakewa daga baya, RPM
ana tabbatar da sa hannu lokacin da aka yi rajistar hoton haɓakawa. Idan
tabbacin sa hannun ya gaza, an soke haɓakawa.
Tabbatar da hash na Cisco NFVIS ISO hoto ko haɓaka hoton
ta amfani da umarnin: /usr/bin/sha512sum <image_filepath>. Kwatanta zanta da wanda aka buga
zanta don tabbatar da mutunci.

Amintaccen Boot

Secure boot siffa ce da ake samu akan ENCS (an kashe ta tsohuwa)
wanda ke tabbatar da cewa na'urar ta tashi kawai ta amfani da amintaccen software. Zuwa
kunna kafaffen boot:

Koma zuwa takaddun kan Amintaccen Boot na Mai watsa shiri don ƙarin
bayani.

Bi umarnin da aka bayar don ba da damar kafaffen taya akan naka
na'urar.

Tabbataccen Ƙwararren Ƙwararren Na'ura (SUDI)

SUDI tana ba da NFVIS tare da shaidar da ba ta canzawa, ta tabbatar da hakan
samfurin Cisco ne na gaske kuma yana tabbatar da sanin sa a cikin
tsarin kaya na abokin ciniki.

FAQ

Tambaya: Menene NFVIS?

A: NFVIS tana nufin Ƙwarewar Ayyukan Sadarwar Sadarwa
Software na kayan aiki. Dandali ne na software da ake amfani dashi don turawa
da sarrafa ayyukan cibiyar sadarwar kama-da-wane.

Q: Ta yaya zan iya tabbatar da mutuncin hoton NFVIS ISO ko
inganta hoto?

A: Don tabbatar da mutunci, yi amfani da umarnin
/usr/bin/sha512sum <image_filepath> da kwatanta
hash tare da buguwar zanta da Cisco ya bayar.

Tambaya: Shin amintaccen taya yana kunna ta tsohuwa akan ENCS?

A: A'a, an kashe amintaccen taya ta tsohuwa akan ENCS. Yana da
an ba da shawarar don kunna kafaffen taya don ingantaccen tsaro.

Tambaya: Menene manufar SUDI a cikin NFVIS?

A: SUDI tana ba da NFVIS tare da keɓantacce kuma marar canzawa.
tabbatar da gaskiyar sa azaman samfurin Cisco da sauƙaƙe ta
fitarwa a cikin tsarin lissafin abokin ciniki.

View Fullscreen

La'akarin Tsaro
Wannan babin yana bayyana fasalin tsaro da la'akari a cikin NFVIS. Yana ba da babban matakin samaview na abubuwan da suka danganci tsaro a cikin NFVIS don tsara dabarun tsaro don turawa ta musamman gare ku. Hakanan yana da shawarwari kan mafi kyawun ayyuka na tsaro don aiwatar da ainihin abubuwan tsaro na cibiyar sadarwa. Software na NFVIS yana da tsaro da aka saka tun daga shigarwa ta duk matakan software. Babi na gaba suna mayar da hankali kan waɗannan abubuwan tsaro na waje kamar gudanarwa na gaskiya, mutunci da t.ampkariya, sarrafa zaman, amintaccen damar na'urar da ƙari.

· Shigarwa, a shafi na 2 · Amintaccen Fahimtar Na'ura, a shafi na 3 · Samun Na'ura, a shafi na 4

Abubuwan Tsaro 1

Shigarwa

La'akarin Tsaro

· Cibiyar Gudanar da Kayan Aiki, a shafi na 22 · Kariyar Bayanin Ajiya, shafi na 23 · File Canja wurin, shafi na 24 · Logging, shafi na 24 · Virtual Machine Security, shafi na 25 · VM ware da albarkatun kasa, shafi na 26 · Secure Development Lifecycle, shafi na 29

Shigarwa
Don tabbatar da cewa software na NFVIS ba ta kasance tamptare da , ana tantance hoton software kafin shigarwa ta amfani da hanyoyi masu zuwa:

Hoton Tamper Kariya
NFVIS tana goyan bayan sa hannun RPM da tabbatar da sa hannu don duk fakitin RPM a cikin ISO da haɓaka hotuna.

Sa hannu na RPM

Duk fakitin RPM a cikin Kamfanin Cisco NFVIS ISO da haɓaka hotuna an sanya hannu don tabbatar da amincin sirri da sahihanci. Wannan yana ba da tabbacin cewa fakitin RPM ba a yi tamptare da fakitin RPM daga NFVIS ne. Maɓallin keɓaɓɓen da aka yi amfani da shi don sanya hannu kan fakitin RPM Cisco ne ya ƙirƙira kuma yana kiyaye shi cikin aminci.

Tabbatar da Sa hannun RPM

Software na NFVIS yana tabbatar da sa hannun duk fakitin RPM kafin shigarwa ko haɓakawa. Tebur mai zuwa yana bayyana halayen Cisco Enterprise NFVIS lokacin da tabbacin sa hannu ya gaza yayin shigarwa ko haɓakawa.

Halin yanayi

Bayani

Cisco Enterprise NFVIS 3.7.1 da kuma shigarwa daga baya Idan tabbacin sa hannu ya gaza yayin shigar da Cisco Enterprise NFVIS, shigarwar ta ƙare.

Cisco Enterprise NFVIS haɓaka daga 3.6.x zuwa Saki 3.7.1

Ana tabbatar da sa hannun RPM lokacin da ake yin haɓakawa. Idan tabbatar da sa hannun ya gaza, ana shigar da kuskure amma an gama haɓakawa.

Cisco Enterprise NFVIS haɓaka daga Sakin 3.7.1 Ana tabbatar da sa hannun RPM lokacin haɓakawa.

zuwa daga baya sakewa

hoto yayi rijista. Idan tabbatar da sa hannun ya gaza,

an zubar da haɓakawa.

Tabbatar da Mutuncin Hoto
Ana iya yin sa hannun RPM da tabbatar da sa hannu don fakitin RPM da ke akwai a cikin Cisco NFVIS ISO da haɓaka hotuna. Don tabbatar da amincin duk ƙarin waɗanda ba RPM ba files samuwa a cikin hoton Cisco NFVIS ISO, an buga zanta na hoton Cisco NFVIS ISO tare da hoton. Hakazalika, ana buga hash na hoton haɓakawa na Cisco NFVIS tare da hoton. Don tabbatar da cewa hash na Cisco

Abubuwan Tsaro 2

La'akarin Tsaro

ENCS Secure Boot

Hoton NFVIS ISO ko haɓaka hoto ya yi daidai da zanta da Cisco ya buga, gudanar da umarni mai zuwa kuma kwatanta hash tare da zaton da aka buga:
% /usr/bin/sha512sumFile> c2122783efc18b039246ae1bcd4eec4e5e027526967b5b809da5632d462dfa6724a9b20ec318c74548c6bd7e9b8217ce96b5ece93dcdd74fda5e01bb382ad607
<ImageFile>
ENCS Secure Boot
Tabbataccen taya wani ɓangare ne na ƙayyadaddun ƙayyadaddun Extensible Firmware Interface (UEFI) wanda ke tabbatar da cewa na'urar tana yin takalmin ta amfani da software ne kawai wanda Mai ƙera Kayan Aiki (OEM) ya amince da shi. Lokacin da NFVIS ya fara, firmware yana duba sa hannun software na taya da tsarin aiki. Idan sa hannun sa hannu suna aiki, na'urar tana yin takalma, kuma firmware yana ba da iko ga tsarin aiki.
Ana samun ingantaccen taya akan ENCS amma an kashe shi ta tsohuwa. Cisco yana ba ku shawarar kunna kafaffen taya. Don ƙarin bayani, duba Secure Boot of Host.
Amintaccen Ƙwararren Ƙwararren Na'ura
NFVIS tana amfani da wata hanyar da aka sani da Secure Unique Na'urar Identification (SUDI), wanda ke samar da ita ta asali mara canzawa. Ana amfani da wannan shaidar don tabbatar da cewa na'urar samfurin Cisco ne na gaske, da kuma tabbatar da cewa na'urar ta shahara ga tsarin ƙirƙira na abokin ciniki.
SUDI takardar shedar X.509v3 ce da maɓalli-biyu masu alaƙa waɗanda aka kiyaye su a cikin kayan aiki. Takaddun shaida na SUDI ya ƙunshi mai gano samfur da lambar serial kuma an samo asali a cikin Kayayyakin Maɓalli na Jama'a na Cisco. Maɓallin maɓalli da takaddun SUDI ana saka su cikin ƙirar kayan masarufi yayin masana'anta, kuma maɓallin keɓaɓɓen ba za a taɓa iya fitarwa zuwa waje ba.
Za a iya amfani da tushen tushen SUDI don aiwatar da ingantacciyar tsari da na'ura mai sarrafa kansa ta amfani da Zero Touch Provisioning (ZTP). Wannan yana ba da damar amintattun, na'urori masu nisa, kuma yana tabbatar da cewa uwar garken ƙungiyar tana magana da na'urar NFVIS na gaske. Tsarin baya na iya ba da ƙalubale ga na'urar NFVIS don tabbatar da ainihin sa kuma na'urar za ta amsa ƙalubalen ta amfani da tushen tushen SUDI. Wannan yana ba da damar tsarin baya don tabbatarwa ba kawai a kan kayansa cewa na'urar da ta dace tana wurin da ya dace ba amma kuma tana ba da tsarin ɓoyewa wanda takamaiman na'urar kawai za ta iya buɗewa, ta haka ne ke tabbatar da sirrin wucewa.
Zane-zane masu gudana na aiki suna kwatanta yadda NFVIS ke amfani da SUDI:

Abubuwan Tsaro 3

Samun Na'urar Hoto 1: Toshe da Kunna (PnP) Tabbacin uwar garken

La'akarin Tsaro

Hoto 2: Toshe da Kunna Tantancewar Na'urar da izini

Samfurin Na'urar
NFVIS yana ba da hanyoyin shiga daban-daban ciki har da na'ura wasan bidiyo da kuma samun dama mai nisa bisa ka'idoji irin su HTTPS da SSH. Kowane hanyar shiga ya kamata a sake shi a hankaliviewed kuma saita. Tabbatar cewa hanyoyin shiga da ake buƙata kawai aka kunna kuma an kiyaye su da kyau. Mahimmin matakai don tabbatar da damar haɗin kai da gudanarwa zuwa NFVIS shine iyakance damar na'urar, ƙuntata ikon masu amfani da izini ga abin da ake buƙata, da ƙuntata hanyoyin da aka yarda da su. NFVIS yana tabbatar da cewa an ba da dama ga ingantattun masu amfani kawai kuma suna iya yin kawai ayyukan da aka ba da izini. Ana shigar da damar na'ura don dubawa kuma NFVIS tana tabbatar da sirrin bayanan sirri da aka adana a cikin gida. Yana da mahimmanci don kafa abubuwan sarrafawa masu dacewa don hana samun dama ga NFVIS mara izini. Sassan masu zuwa suna bayyana mafi kyawun ayyuka da daidaitawa don cimma wannan:
Abubuwan Tsaro 4

La'akarin Tsaro

Ƙaddamar da Canja kalmar wucewa a Farko Shiga

Ƙaddamar da Canja kalmar wucewa a Farko Shiga
Tsoffin takaddun shaida sune akai-akai tushen abubuwan tsaro na samfur. Abokan ciniki galibi suna mantawa don canza tsoffin takaddun shaidar shiga suna barin tsarin su a buɗe don kai hari. Don hana wannan, ana tilasta mai amfani da NFVIS ya canza kalmar sirri bayan shiga ta farko ta amfani da tsoffin takaddun shaida (sunan mai amfani: admin da kalmar sirri Admin123#). Don ƙarin bayani, duba Shiga NFVIS.
Ƙuntata Matsalolin Shiga
Kuna iya hana rauni zuwa hare-haren ƙamus da hana Sabis (DoS) ta amfani da fasalulluka masu zuwa.
Ƙaddamar da Ƙarfin kalmar sirri
Na'urar tantancewa tana da ƙarfi kawai kamar takaddun shaidarta. Saboda wannan dalili, yana da mahimmanci don tabbatar da masu amfani da kalmomin shiga masu ƙarfi. NFVIS yana bincika cewa an saita kalmar sirri mai ƙarfi kamar waɗannan ƙa'idodi: Kalmar wucewa dole ne ta ƙunshi:
Aƙalla babban harafi ɗaya · Akalla ƙananan haruffa ɗaya · Aƙalla lamba ɗaya · Aƙalla ɗaya daga cikin waɗannan haruffa na musamman: hash (#), ba da alama (_), jigon (-), alamar alama (*), ko tambaya.
mark (?) · Haruffa bakwai ko sama da haka · Tsawon kalmar sirri ya kamata ya kasance tsakanin haruffa 7 zuwa 128.
Yana Haɓaka Mafi qarancin Tsawon kalmomin shiga
Rashin rikitarwar kalmar sirri, musamman tsayin kalmar sirri, yana rage yawan binciken lokacin da maharan ke ƙoƙarin tantance kalmar sirrin mai amfani, wanda ke sa kai hari cikin sauƙi. Mai amfani na admin zai iya saita mafi ƙarancin tsawon da ake buƙata don kalmomin shiga na duk masu amfani. Matsakaicin tsayi dole ne ya kasance tsakanin haruffa 7 zuwa 128. Ta hanyar tsoho, mafi ƙarancin tsawon da ake buƙata don kalmomin shiga an saita shi zuwa haruffa 7. CLI:
nfvis(daidaita) # rbac ingantaccen min-pwd-tsawon 9
API:
/api/config/rbac/authentication/min-pwd-length
Ana saita kalmar wucewa ta Rayuwa
Rayuwar kalmar sirri ta ƙayyade tsawon lokacin da za a iya amfani da kalmar sirri kafin a buƙaci mai amfani don canza ta.

Abubuwan Tsaro 5

Iyakance sake amfani da kalmar wucewa ta baya

La'akarin Tsaro

Mai amfani na admin zai iya saita mafi ƙanƙanta da matsakaicin ƙimar rayuwa don kalmomin shiga ga duk masu amfani da aiwatar da doka don bincika waɗannan ƙimar. An saita mafi ƙarancin ƙimar rayuwa zuwa rana 1 kuma an saita matsakaicin matsakaicin ƙimar rayuwa zuwa kwanaki 60. Lokacin da aka saita mafi ƙarancin ƙimar rayuwa, mai amfani ba zai iya canza kalmar wucewa ba har sai takamaiman adadin kwanaki sun wuce. Hakazalika, lokacin da aka saita iyakar ƙimar rayuwa, mai amfani dole ne ya canza kalmar sirri kafin ƙayyadadden adadin kwanakin da suka wuce. Idan mai amfani bai canza kalmar wucewa ba kuma takamaiman adadin kwanaki sun wuce, ana aika sanarwa ga mai amfani.
Lura Mafi ƙanƙanta da matsakaicin ƙimar rayuwa da ƙa'idar bincika waɗannan ƙimar ba a amfani da su ga mai amfani.
CLI:
saita m rbac ingantacciyar kalmar sirri-lokacin rayuwa tilasta gaskiya min-kwanaki 2 max-days 30
API:
/api/config/rbac/authentication/password-lifetime/
Iyakance sake amfani da kalmar wucewa ta baya
Ba tare da hana amfani da kalmomin wucewar da suka gabata ba, ƙarewar kalmar sirri ba ta da amfani sosai tunda masu amfani za su iya canza kalmar wucewa kawai sannan su canza shi zuwa asali. NFVIS yana bincika cewa sabon kalmar sirri ba ɗaya bane da ɗaya daga cikin kalmomin sirri guda 5 da aka yi amfani da su a baya. Daya daga cikin wannan ka'ida shine mai amfani da admin na iya canza kalmar sirri zuwa kalmar sirri ko da yana ɗaya daga cikin kalmomin sirri 5 da aka yi amfani da su a baya.
Ƙuntata Mitar yunƙurin shiga
Idan an ƙyale takwarorinsa na nesa ya shiga sau da yawa mara iyaka, ƙila a ƙarshe zai iya ƙimanta shaidar shiga da ƙarfi. Tunda kalmomin wucewa galibi suna da sauƙin ganewa, wannan hari ne na kowa. Ta hanyar iyakance ƙimar da takwarorinsu zasu iya ƙoƙarin shiga, muna hana wannan harin. Muna kuma guje wa ciyar da albarkatun tsarin akan tabbatar da waɗannan yunƙurin shiga na ƙaƙƙarfan ƙarfi waɗanda ba za su iya haifar da harin Sabis ba. NFVIS tana tilasta kullewar mai amfani na minti 5 bayan yunƙurin shiga 10 ya gaza.
Kashe asusun mai amfani mara aiki
Kula da ayyukan mai amfani da kashe asusun mai amfani da ba a yi amfani da su ba ko datti yana taimakawa wajen kare tsarin daga hare-haren na ciki. A ƙarshe ya kamata a cire asusun da ba a yi amfani da su ba. Mai amfani na admin zai iya aiwatar da doka don yiwa asusun mai amfani da ba a yi amfani da shi ba a matsayin mara aiki da kuma saita adadin kwanakin bayan an yiwa asusun mai amfani da ba a yi amfani da shi alama a matsayin mara aiki. Da zarar an yi masa alama a matsayin mara aiki, mai amfani ba zai iya shiga tsarin ba. Don ƙyale mai amfani ya shiga cikin tsarin, mai amfani mai amfani zai iya kunna asusun mai amfani.
Lura Lokacin rashin aiki da ƙa'idar duba lokacin rashin aiki ba a yi amfani da mai amfani da mai gudanarwa ba.

Abubuwan Tsaro 6

La'akarin Tsaro

Kunna Asusun mai amfani mara aiki

Ana iya amfani da CLI da API masu zuwa don daidaita aiwatar da rashin aikin asusu. CLI:
saita m rbac Tantance kalmar sirri-rashin aiki tilasta gaskiya rashin aiki-kwana 30
API:
/api/config/rbac/authentication/account-inactivity/
Matsakaicin ƙimar kwanakin rashin aiki shine 35.
Kunna Asusun Mai Amfani Mara Aiki Mai amfani zai iya kunna asusun mara amfani ta amfani da CLI da API masu zuwa: CLI:
saita tasha rbac masu amfani masu amfani mai amfani guest_user kunna aikatawa
API:
/api/operations/rbac/authentication/users/user/username/activate

Aiwatar da Saitin BIOS da Kalmomin sirri na CIMC

Tebur 1: Teburin Tarihi na Siffar

Sunan Siffar

Bayanin Saki

Ƙaddamar da Saitin BIOS da CIMC NFVIS 4.7.1 Kalmomin sirri

Bayani
Wannan fasalin yana tilasta mai amfani don canza tsohuwar kalmar sirri don CIMC da BIOS.

Ƙuntatawa don Ƙaddamar Saitin BIOS da Kalmomin sirri na CIMC
Wannan fasalin ana tallafawa ne kawai akan dandamali na Cisco Catalyst 8200 UCPE da Cisco ENCS 5400.
Wannan fasalin ana tallafawa ne kawai akan sabon shigar NFVIS 4.7.1 da kuma sakewa daga baya. Idan ka haɓaka daga NFVIS 4.6.1 zuwa NFVIS 4.7.1, wannan fasalin ba shi da tallafi kuma ba a sa ka sake saita kalmar sirri ta BIOS da CIMS ba, koda kuwa ba a saita kalmar sirri ta BIOS da CIMC ba.

Bayani Game da Aiwatar da Saitin BIOS da Kalmomin sirri na CIMC
Wannan fasalin yana magance gibin tsaro ta hanyar aiwatar da sake saitin BIOS da kalmomin shiga na CIMC bayan sabon shigar da NFVIS 4.7.1. Tsohuwar kalmar sirri ta CIMC ita ce kalmar sirri kuma tsohuwar kalmar sirri ta BIOS ba kalmar sirri ba ce.
Don gyara gibin tsaro, ana tilasta ku don saita kalmar sirri ta BIOS da CIMC a cikin ENCS 5400. Yayin sabon shigar da NFVIS 4.7.1, idan BIOS da CIMC kalmomin shiga ba a canza ba kuma har yanzu suna da.

Abubuwan Tsaro 7

Kanfigareshan ExampLes don Ƙarfafa Sake saitin BIOS da Kalmomin sirri na CIMC

La'akarin Tsaro

tsoho kalmomin shiga, to ana sa ka canza duka BIOS da kalmomin shiga na CIMC. Idan ɗaya daga cikinsu yana buƙatar sake saiti, ana sa ka sake saita kalmar sirri don wannan ɓangaren kawai. Cisco Catalyst 8200 UCPE yana buƙatar kalmar sirri ta BIOS kawai don haka sai kawai saitin kalmar sirri ta BIOS ya sa, idan ba a riga an saita shi ba.
Lura Idan ka haɓaka daga duk wani saki na baya zuwa NFVIS 4.7.1 ko kuma daga baya sakewa, za ka iya canza BIOS da CIMC kalmomin shiga ta amfani da hostaction change-bios-password newpassword ko hostaction change-cimc-password newpassword umarni.
Don ƙarin bayani game da BIOS da CIMC kalmomin shiga, duba BIOS da CIMC Kalmar wucewa.
Kanfigareshan ExampLes don Ƙarfafa Sake saitin BIOS da Kalmomin sirri na CIMC
1. Lokacin da ka shigar NFVIS 4.7.1, dole ne ka fara sake saita kalmar sirri ta tsoho.
Cisco Network Action Virtualization Infrastructure Software (NFVIS)
Shafin NFVIS: 99.99.0-1009
Haƙƙin mallaka (c) 2015-2021 ta Cisco Systems, Inc. Cisco, Cisco Systems, da tambarin Cisco Systems alamun kasuwanci ne masu rijista na Cisco Systems, Inc. da/ko masu haɗin gwiwa a Amurka da wasu ƙasashe.
Haƙƙin mallaka zuwa wasu ayyuka da ke ƙunshe a cikin wannan software mallakar wasu ɓangarori na uku ne kuma ana amfani da su kuma ana rarraba su ƙarƙashin yarjejeniyar lasisi na ɓangare na uku. Wasu sassa na wannan software suna da lasisi a ƙarƙashin GNU GPL 2.0, GPL 3.0, LGPL 2.1, LGPL 3.0 da AGPL 3.0.
An haɗa admin daga 10.24.109.102 ta amfani da ssh akan nfvis admin wanda aka shiga tare da tsoffin takaddun shaida Da fatan za a ba da kalmar sirri wacce ta cika ka'idodi masu zuwa:
1.Akalla harafi guda daya 2.Akalla babban harafi daya 3.Akalla lamba daya 4.Akalla hali na musamman daya daga # _ – * ? 5.Length ya kasance tsakanin haruffa 7 da 128 Da fatan za a sake saita kalmar wucewa: Da fatan za a sake shigar da kalmar wucewa:
Sake saita admin kalmar sirri
2. A kan Cisco Catalyst 8200 UCPE da Cisco ENCS 5400 dandamali lokacin da kuka yi sabon shigar da NFVIS 4.7.1 ko kuma daga baya, dole ne ku canza tsoho BIOS da kalmomin shiga na CIMC. Idan ba a saita kalmar sirri ta BIOS da CIMC a baya ba, tsarin yana sa ku sake saita kalmar sirri ta BIOS da CIMC don Cisco ENCS 5400 kuma kawai kalmar sirri ta BIOS don Cisco Catalyst 8200 UCPE.
An saita sabuwar kalmar sirri ta admin
Da fatan za a ba da kalmar sirri ta BIOS wanda ya cika waɗannan sharuɗɗa: 1. Aƙalla ƙananan haruffa ɗaya 2. Aƙalla babban haruffa ɗaya 3. Aƙalla lamba ɗaya 4. Aƙalla harafi ɗaya na musamman daga #, @ ko _ 5. Tsawon ya kamata ya kasance tsakanin Haruffa 8 da 20

Abubuwan Tsaro 8

La'akarin Tsaro

Tabbatar da BIOS da kalmomin shiga na CIMC

Da fatan za a sake saita kalmar sirri ta BIOS : Da fatan za a sake shigar da kalmar wucewa ta BIOS : Da fatan za a samar da kalmar sirri ta CIMC wacce ta cika ka'idoji masu zuwa:
1. Aƙalla ƙananan haruffa ɗaya 2. Akalla babban haruffa ɗaya 3. Aƙalla lamba ɗaya 4. Aƙalla harafi ɗaya na musamman daga #, @ ko _ 5. Tsawon ya kasance tsakanin haruffa 8 zuwa 20 6. Kada ya ƙunshi ko ɗaya daga cikin su. wadannan igiyoyi (masu mahimmanci): admin Da fatan za a sake saita kalmar wucewa ta CIMC: Da fatan za a sake shigar da kalmar sirri ta CIMC:

Tabbatar da BIOS da kalmomin shiga na CIMC
Don tabbatar da idan an canza kalmar sirri ta BIOS da CIMC cikin nasara, yi amfani da wurin nunin nfvis_config.log | hada da BIOS ko nuna log nfvis_config.log | sun haɗa da umarnin CIMC:

nfvis# nuna log nfvis_config.log | hada da BIOS

2021-11-16 15:24:40,102 INFO

[hostaction:/system/settings] [] canza kalmar sirri ta BIOS

ya yi nasara

Hakanan zaka iya sauke nfvis_config.log file kuma tabbatar da idan an sake saita kalmomin shiga cikin nasara.

Haɗin kai tare da sabar AAA na waje
Masu amfani suna shiga NFVIS ta hanyar ssh ko Web UI. A kowane hali, masu amfani suna buƙatar tantancewa. Wato mai amfani yana buƙatar gabatar da bayanan sirri don samun damar shiga.
Da zarar mai amfani ya tabbata, duk ayyukan da wannan mai amfani ya yi yana buƙatar izini. Wato, ana iya ba wa wasu masu amfani damar yin wasu ayyuka, yayin da wasu kuma ba. Ana kiran wannan izini.
Ana ba da shawarar cewa za a tura sabar AAA ta tsakiya don tilasta kowane mai amfani, tushen tushen AAA don samun damar NFVIS. NFVIS tana goyan bayan ka'idojin RADIUS da TACACS don daidaita hanyar hanyar sadarwa. A kan uwar garken AAA, mafi ƙarancin gata ya kamata a ba wa ingantattun masu amfani bisa ga takamaiman buƙatun samun damar su. Wannan yana rage fallasa ga ɓarna da abubuwan tsaro na rashin niyya.
Don ƙarin bayani kan tabbatarwa na waje, duba Haɓaka RADIUS da Haɓaka Sabar TACACS+.

Ma'ajiyar Tabbaci don Sabar Tantancewar Waje

Sunan Siffar

Bayanin Saki

Cache Tabbaci don NFVIS na waje 4.5.1 Sabar Tabbatarwa

Bayani
Wannan fasalin yana goyan bayan tantancewar TACACS ta hanyar OTP akan tashar NFVIS.

Tashar tashar NFVIS tana amfani da kalmar wucewa ta lokaci ɗaya (OTP) don duk kiran API bayan tantancewar farko. Kiran API ya gaza da zaran OTP ya ƙare. Wannan fasalin yana goyan bayan tantancewar TACACS OTP tare da tashar NFVIS.
Bayan kun sami nasarar tantancewa ta hanyar uwar garken TACACS ta amfani da OTP, NFVIS ta ƙirƙiri shigarwar zanta ta amfani da sunan mai amfani da OTP kuma tana adana wannan ƙimar hash a cikin gida. Wannan ƙimar hash ɗin da aka adana a cikin gida tana da

Abubuwan Tsaro 9

Ikon Samun Matsakaicin Matsayi

La'akarin Tsaro

lokacin karewa stamp hade da shi. Lokacin stamp yana da ƙima ɗaya da ƙimar lokacin ƙarewar zaman SSH wanda shine mintuna 15. Duk buƙatun tabbatarwa na gaba tare da sunan mai amfani iri ɗaya an inganta su a kan wannan ƙimar hash na gida da farko. Idan tantancewar ta gaza tare da hash na gida, NFVIS tana tabbatar da wannan buƙatun tare da uwar garken TACACS kuma ta ƙirƙiri sabon shigarwar zanta lokacin da amincin ya yi nasara. Idan shigarwar zanta ya riga ya kasance, lokacin sa stamp an sake saita shi zuwa mintuna 15.
Idan an cire ku daga uwar garken TACACS bayan shiga cikin nasarar shiga tashar, za ku iya ci gaba da amfani da tashar har sai shigar da hash a NFVIS ya ƙare.
Lokacin da kuka fita kai tsaye daga tashar NFVIS ko kuma aka fita saboda lokacin aiki, tashar ta kira sabon API don sanar da bayan NFVIS don cire shigar da hash. Ana share cache na tantancewa da duk shigarwar sa bayan sake yi NFVIS, sake saitin masana'anta, ko haɓakawa.

Ikon Samun Matsakaicin Matsayi

Iyakance hanyar sadarwa yana da mahimmanci ga ƙungiyoyi waɗanda ke da ma'aikata da yawa, ɗaukar ƴan kwangila ko ba da izinin shiga wasu kamfanoni, kamar abokan ciniki da masu siyarwa. A cikin irin wannan yanayin, yana da wahala a sa ido kan samun hanyar sadarwa yadda ya kamata. Madadin haka, yana da kyau a sarrafa abin da ake iya samu, don aminta da mahimman bayanai da aikace-aikace masu mahimmanci.
Ikon samun damar tushen rawar aiki (RBAC) hanya ce ta ƙuntata hanyar sadarwa dangane da matsayin masu amfani da kowane kamfani a cikin kamfani. RBAC tana ba masu amfani damar samun damar kawai bayanan da suke buƙata, kuma suna hana su samun damar bayanan da bai shafe su ba.
Ya kamata a yi amfani da rawar da ma'aikaci ke takawa a cikin kamfani don tantance izinin da aka bayar, don tabbatar da cewa ma'aikatan da ke da ƙananan gata ba za su iya samun damar bayanai masu mahimmanci ko yin ayyuka masu mahimmanci ba.
An bayyana matsayin masu amfani da gata masu zuwa a cikin NFVIS

Matsayin Mai Amfani

Gata

Masu gudanarwa

Zai iya saita duk abubuwan da ake da su da yin duk ayyuka gami da canza matsayin mai amfani. Mai gudanarwa ba zai iya share kayan aikin yau da kullun waɗanda ke da mahimmanci ga NFVIS ba. Ba za a iya canza aikin mai amfani na Admin ba; kullum “masu gudanarwa ne”.

Masu aiki

Zai iya farawa da dakatar da VM, kuma view duk bayanai.

Masu bincike

Su ne mafi ƙarancin masu amfani. Suna da izinin karanta-kawai don haka, ba za su iya canza kowane tsari ba.

Amfanin RBAC
Akwai fa'idodi da yawa don amfani da RBAC don ƙuntata hanyar sadarwar da ba dole ba dangane da ayyukan mutane a cikin ƙungiya, gami da:
· Inganta ingantaccen aiki.
Samun ƙayyadaddun ayyuka a cikin RBAC yana sa yana da sauƙi a haɗa sabbin masu amfani tare da gata masu dacewa ko canza matsayin masu amfani da ke wanzu. Hakanan yana rage yuwuwar kuskure lokacin da ake ba da izinin mai amfani.
· Inganta yarda.

Abubuwan Tsaro 10

La'akarin Tsaro

Ikon Samun Matsakaicin Matsayi

Dole ne kowace kungiya ta bi ka'idojin gida, jihohi da tarayya. Kamfanoni gabaɗaya sun fi son aiwatar da tsarin RBAC don saduwa da ƙa'idodi da ƙa'idodi na sirri da keɓancewa saboda masu gudanarwa da sassan IT na iya sarrafa yadda ake samun damar bayanai da amfani da su yadda ya kamata. Wannan yana da mahimmanci musamman ga cibiyoyin kuɗi da kamfanonin kiwon lafiya waɗanda ke sarrafa mahimman bayanai.
· Rage farashi. Ta ƙin ƙyale mai amfani damar zuwa wasu matakai da aikace-aikace, kamfanoni na iya adanawa ko amfani da albarkatu kamar bandwidth cibiyar sadarwa, ƙwaƙwalwar ajiya da maajiyar hanya mai inganci.
· Rage haɗarin keta da zubewar bayanai. Aiwatar da RBAC na nufin hana samun damar samun bayanai masu mahimmanci, don haka rage yuwuwar keta bayanai ko zubewar bayanai.
Mafi kyawun ayyuka don aiwatar da tushen tushen rawar rawar aiki · A matsayin mai gudanarwa, ƙayyade jerin masu amfani kuma sanya masu amfani ga ayyukan da aka riga aka ayyana. Domin misaliampHar ila yau, ana iya ƙirƙira mai amfani da “networkadmin” kuma a ƙara shi zuwa rukunin masu amfani da “masu gudanarwa”.
saita tasha rbac masu amfani da ƙirƙira-mai amfani sunan networkadmin kalmar sirri Test1_pass rawar gudanarwa
Lura Ƙungiyoyin masu amfani ko matsayi an ƙirƙira su ta tsarin. Ba za ku iya ƙirƙira ko gyara ƙungiyar mai amfani ba. Don canza kalmar wucewa, yi amfani da umarnin masu amfani da masu amfani da canza kalmar sirri a cikin yanayin daidaitawa na duniya rbac. Don canza rawar mai amfani, yi amfani da umarnin masu amfani da masu amfani da tabbacin rbac a yanayin daidaitawar duniya.
· Kashe asusu don masu amfani waɗanda ba sa buƙatar shiga.
saita tasha rbac Tantance masu amfani share-user name test1
· Ana gudanar da bincike lokaci-lokaci don tantance ayyukan, ma'aikatan da aka ba su da damar da aka ba da izini ga kowace rawa. Idan an sami mai amfani yana da damar da ba dole ba ga wani tsari, canza rawar mai amfani.
Don ƙarin cikakkun bayanai duba, Masu amfani, Matsayi, da Tabbatarwa
Ikon Samun Matsakaicin Matsayi Mai Girma Daga NFVIS 4.7.1, an gabatar da fasalin Ikon Samun Ganewar Matsayin Matsayi. Wannan fasalin yana ƙara sabon manufar ƙungiyar albarkatu wanda ke sarrafa VM da VNF kuma yana ba ku damar sanya masu amfani zuwa rukuni don sarrafa damar VNF, yayin jigilar VNF. Don ƙarin bayani, duba Ikon samun damar tushen rawar da ya dace.

Abubuwan Tsaro 11

Ƙuntata Samun Na'ura

La'akarin Tsaro

Ƙuntata Samun Na'ura
An sha kama masu amfani ba tare da saninsu ba ta hanyar kai hari kan abubuwan da ba su kiyaye su ba saboda ba su san cewa an kunna waɗannan abubuwan ba. Ayyukan da ba a yi amfani da su sun kasance ana barin su tare da saitunan tsoho waɗanda ba koyaushe suke da tsaro ba. Waɗannan sabis ɗin ƙila kuma suna amfani da tsoffin kalmomin shiga. Wasu ayyuka na iya ba maharin damar samun sauƙin samun bayanai kan abin da uwar garken ke gudana ko yadda aka saita cibiyar sadarwa. Sassan masu zuwa suna bayyana yadda NFVIS ke guje wa irin waɗannan haɗarin tsaro:

Rage kai hare-hare
Kowane yanki na software na iya yuwuwar ƙunsar raunin tsaro. Ƙarin software yana nufin ƙarin hanyoyin kai hari. Ko da babu wasu lahani da aka sani a bainar jama'a a lokacin haɗawa, ƙila za a iya gano ko bayyana raunin a nan gaba. Don guje wa irin wannan yanayin, kawai waɗancan fakitin software waɗanda ke da mahimmanci don ayyukan NFVIS ana shigar dasu. Wannan yana taimakawa wajen iyakance raunin software, rage yawan amfani da albarkatu, da rage ƙarin aiki lokacin da aka sami matsaloli tare da waɗannan fakitin. Duk software na ɓangare na uku da aka haɗa a cikin NFVIS an yi rajista a cibiyar bayanai ta tsakiya a cikin Sisiko domin Cisco ya sami damar aiwatar da matakin da aka tsara na kamfani (Shari'a, Tsaro, da sauransu). Ana yin fakitin software lokaci-lokaci a cikin kowane fitowar don sanannun Raunuka da Bayyanawa (CVEs).

Kunna mahimman tashoshin jiragen ruwa kawai ta tsohuwa

Waɗancan sabis ɗin waɗanda ke da matuƙar mahimmanci don saitawa da sarrafa NFVIS suna samuwa ta tsohuwa. Wannan yana cire ƙoƙarce-ƙoƙarcen mai amfani da ake buƙata don saita bangon wuta da ƙin samun dama ga ayyukan da ba dole ba. Ayyukan da aka kunna ta tsohuwa ana jera su a ƙasa tare da tashoshin jiragen ruwa da suka buɗe.

Bude Port

Sabis

Bayani

22 / TCP

SSH

Secure Socket Shell don samun damar layin umarni mai nisa zuwa NFVIS

80 / TCP

HTTP

Ka'idar Canja wurin Hypertext don shiga tashar tashar NFVIS. Duk zirga-zirgar HTTP da aka karɓa ta NFVIS ana tura su zuwa tashar jiragen ruwa 443 don HTTPS

443 / TCP

HTTPS

Amintacciyar yarjejeniya ta Canja wurin Hypertext don amintacciyar hanyar shiga ta NFVIS

830 / TCP

NETCONF-ssh

An buɗe tashar jiragen ruwa don Ka'idar Kanfigareshan hanyar sadarwa (NETCONF) akan SSH. NETCONF yarjejeniya ce da ake amfani da ita don daidaitawa ta atomatik na NFVIS kuma don karɓar sanarwar taron asynchronous daga NFVIS.

161/UDP

SNMP

Simple Network Management Protocol (SNMP). NFVIS ke amfani dashi don sadarwa tare da aikace-aikacen sa ido na cibiyar sadarwa mai nisa. Don ƙarin bayani duba, Gabatarwa game da SNMP

Abubuwan Tsaro 12

La'akarin Tsaro

Ƙuntata Samun Izini Zuwa Hanyoyin Sadarwar Sadarwa Don Sabis na Izini

Masu asali masu izini ne kawai ya kamata a ba su izinin ko da yin yunƙurin samun damar sarrafa na'urar, kuma isa ga ayyukan da aka basu izinin amfani da su kawai. Ana iya saita NFVIS kamar yadda aka iyakance damar zuwa ga sanannun, amintattun kafofin da hanyoyin zirga-zirgar zirga-zirgar da ake tsammanin.files. Wannan yana rage haɗarin samun izini mara izini da fallasa ga wasu hare-hare, kamar ƙamus, ƙamus, ko harin DoS.
Don kare musaya na gudanarwa na NFVIS daga zirga-zirga maras buƙata kuma mai yuwuwar cutarwa, mai amfani mai gudanarwa zai iya ƙirƙirar Lissafin Ikon Samun shiga (ACLs) don zirga-zirgar hanyar sadarwa da aka karɓa. Waɗannan ACLs suna ƙayyadad da tushen adiresoshin IP/cibiyoyin sadarwa waɗanda zirga-zirgar ta samo asali, da nau'in zirga-zirgar da aka ba da izini ko ƙi daga waɗannan hanyoyin. Ana amfani da waɗannan matattarar zirga-zirgar zirga-zirgar IP zuwa kowane ƙirar gudanarwa akan NFVIS. Ana saita sigogi masu zuwa a cikin Jerin Gudanar da Samun Imel (ip-receive-acl)

Siga

Daraja

Bayani

Cibiyar sadarwa ta asali/Netmask

Network/netmask. Domin misaliample: 0.0.0.0/0
172.39.162.0/24

Wannan filin yana ƙayyadaddun adireshin IP/cibiyar sadarwar da zirga-zirgar ta samo asali

Ayyukan Sabis

https icmp netconf scpd snmp ssh yarda da ƙi

Nau'in zirga-zirga daga ƙayyadadden tushe.
Matakin da za a ɗauka akan zirga-zirga daga cibiyar sadarwa ta tushe. Tare da karɓa, za a ba da sabon ƙoƙarin haɗin gwiwa. Tare da ƙi , ba za a karɓi ƙoƙarin haɗin gwiwa ba. Idan ka'idar ta tushen sabis ne na TCP kamar HTTPS, NETCONF, SCP, SSH, tushen zai sami fakitin sake saitin TCP (RST). Don dokokin da ba na TCP ba kamar SNMP da ICMP, za a jefar da fakitin. Tare da raguwa, duk fakiti za a jefar da su nan da nan, babu wani bayani da aka aika zuwa tushen.

Abubuwan Tsaro 13

Samun Gata Gyaran Gyara

La'akarin Tsaro

Matsayin Ma'auni

Darajar A lamba

Bayani
Ana amfani da fifiko don aiwatar da oda akan dokoki. Dokokin da ke da ƙimar lamba mafi girma don fifiko za a ƙara ƙara ƙasa a cikin sarkar. Idan kana son tabbatar da cewa za a ƙara ƙa'ida bayan wani, yi amfani da ƙaramin fifiko na farko da lambar fifiko mafi girma ga masu biyowa.

Mai zuwa sampƘididdigar ƙididdiga ta kwatanta wasu yanayi waɗanda za a iya daidaita su don takamaiman lokuta masu amfani.
Saita IP Receive ACL
Matsakaicin ƙuntatawa ACL, mafi ƙayyadaddun bayyanarwa ga yunƙurin samun izini mara izini. Koyaya, mafi ƙarancin ACL na iya ƙirƙirar sama da ƙasa na gudanarwa, kuma yana iya tasiri damar samun damar yin matsala. Saboda haka, akwai ma'auni da za a yi la'akari. Ɗayan sasantawa shine iyakance damar shiga adiresoshin IP na cikin gida kawai. Dole ne kowane abokin ciniki ya kimanta aiwatar da ACLs dangane da manufofin tsaro, haɗari, fallasa, da yarda da su.
Karɓar zirga-zirgar ssh daga cibiyar sadarwa:

nfvis(daidaita)# saitunan tsarin ip-receive-acl 171.70.63.0/24 sabis ssh aikin ya ƙi fifiko 1

Cire ACLs:
Lokacin da aka share shigarwa daga ip-receive-acl, duk saitunan zuwa wannan tushen ana share su tunda tushen adireshin IP shine maɓalli. Don share sabis ɗaya kawai, sake saita wasu ayyuka.

nfvis(config) # babu saitunan tsarin ip-receive-acl 171.70.63.0/24
Don ƙarin cikakkun bayanai duba, Ƙaddamar da IP Receive ACL
Samun Gata Gyaran Gyara
Babban asusun mai amfani akan NFVIS an kashe shi ta tsohuwa, don hana duk mara iyaka, mai yuwuwar mummuna, canje-canje masu faɗin tsarin kuma NFVIS baya fallasa harsashin tsarin ga mai amfani.
Koyaya, don wasu masu wuyar warware batutuwa akan tsarin NFVIS, ƙungiyar Cibiyar Taimakon Fasaha ta Cisco (TAC) ko ƙungiyar haɓakawa na iya buƙatar samun damar harsashi zuwa NFVIS na abokin ciniki. NFVIS yana da amintattun kayan aikin buše don tabbatar da cewa damataccen damar gyara kuskuren zuwa na'urar a cikin filin an iyakance ga ma'aikatan Cisco masu izini. Don samun amintacce harsashi na Linux don irin wannan nau'in lalata mai mu'amala, ana amfani da hanyar tabbatar da amsa ƙalubale tsakanin NFVIS da uwar garken lalatawar Interactive ta Cisco. Ana kuma buƙatar kalmar sirrin mai amfani da admin ban da shigarwar amsa kalubale don tabbatar da cewa an sami damar shiga na'urar tare da izinin abokin ciniki.
Matakai don samun dama ga harsashi don Gyara Matsala:
1. Mai amfani da admin ya fara wannan hanya ta amfani da wannan ɓoyewar umarni.

nfvis# tsarin harsashi-access

Abubuwan Tsaro 14

La'akarin Tsaro

Amintattun hanyoyin sadarwa

2. Allon zai nuna kirtani kalubale, ga misaliampda:
Kalubale String (Da fatan za a kwafi duk abin da ke tsakanin layin alamar alama na musamman):
******************************************************************************** SPH//wkAAABORlZJU0VOQ1M1NDA4L0s5AQAAABt+dcx+hB0V06r9RkdMMjEzNTgw RlHq7BxeAAA= DONE. ********************************************************************************
3. Memba na Sisiko ya shigar da igiyar ƙalubalen akan uwar garken Debug Interactive wanda Cisco ke kulawa. Wannan uwar garken yana tabbatar da cewa mai amfani da Sisiko yana da izini don gyara NFVIS ta amfani da harsashi, sannan ya dawo da kirtan amsa.
4. Shigar da zaren amsa akan allon da ke ƙasa wannan saƙon: Shigar da martanin ku idan kun shirya:
5. Lokacin da aka sa abokin ciniki ya shigar da kalmar wucewa ta admin. 6. Kuna samun damar shiga harsashi idan kalmar sirri tana aiki. 7. Ƙaddamarwa ko ƙungiyar TAC tana amfani da harsashi don ci gaba da lalatawa. 8. Don fita harsashi-samun shigar nau'in Fita.
Amintattun hanyoyin sadarwa
An ba da izinin samun damar sarrafa NFVIS ta amfani da musaya da aka nuna a cikin zane. Sassan masu zuwa suna bayyana mafi kyawun ayyuka na tsaro don waɗannan mu'amala zuwa NFVIS.

Console SSH

Tashar na'ura wasan bidiyo tashar tashar jiragen ruwa ce ta asynchronous wacce ke ba ka damar haɗawa zuwa NFVIS CLI don daidaitawar farko. Mai amfani zai iya samun dama ga na'ura wasan bidiyo tare da ko dai damar jiki zuwa NFVIS ko damar nesa ta amfani da sabar tasha. Idan ana buƙatar samun damar tashar jiragen ruwa ta hanyar uwar garken tasha, saita lissafin shiga kan uwar garken tasha don ba da damar shiga kawai daga adiresoshin tushen da ake buƙata.
Masu amfani za su iya samun dama ga NFVIS CLI ta amfani da SSH azaman amintacciyar hanyar shiga mai nisa. Mutunci da sirrin zirga-zirgar gudanarwa na NFVIS yana da mahimmanci ga tsaron hanyar sadarwar da ake gudanarwa tunda ka'idojin gudanarwa akai-akai suna ɗaukar bayanai waɗanda za'a iya amfani da su don kutsawa ko tarwatsa hanyar sadarwar.

Abubuwan Tsaro 15

Lokacin Zaman CLI

La'akarin Tsaro

NFVIS tana amfani da sigar SSH 2, wacce ita ce ma'aunin daidaitaccen ka'idar Cisco da Intanet don shiga tsakani kuma tana goyan bayan ɓoyayyen ɓoyewa, hash, da maɓalli na musayar maɓalli wanda Tsaro da Amintacce Organization a cikin Cisco suka ba da shawarar.

Lokacin Zaman CLI
Ta hanyar shiga ta hanyar SSH, mai amfani yana kafa zama tare da NFVIS. Yayin da mai amfani ke shiga, idan mai amfani ya bar zaman shiga ba tare da kulawa ba, wannan na iya fallasa cibiyar sadarwar zuwa haɗarin tsaro. Tsaron zama yana iyakance haɗarin hare-hare na ciki, kamar mai amfani ɗaya yana ƙoƙarin yin amfani da zaman mai amfani.
Don rage wannan haɗarin, NFVIS yana fitar da zaman CLI bayan mintuna 15 na rashin aiki. Lokacin da aka kai lokacin lokacin zaman, mai amfani zai fita ta atomatik.

NETCONF

Yarjejeniyar Kanfigareshan hanyar sadarwa (NETCONF) yarjejeniya ce ta Gudanar da hanyar sadarwa wacce IETF ta haɓaka kuma ta daidaita don daidaita na'urorin cibiyar sadarwa ta atomatik.
Ƙa'idar NETCONF tana amfani da Harshen Alamar Mahimmanci (XML) tushen bayanan bayanan daidaitawa da kuma saƙonnin yarjejeniya. Ana musayar saƙon yarjejeniya a saman amintacciyar ka'idar sufuri.
NETCONF yana ba NFVIS damar fallasa API na tushen XML wanda mai aikin cibiyar sadarwa zai iya amfani da shi don saitawa da samun bayanan daidaitawa da sanarwar taron amintattu akan SSH.
Don ƙarin bayani duba, NETCONF Fadakarwar Lamarin.

API ɗin REST

Ana iya saita NFVIS ta amfani da API RESTful akan HTTPS. API ɗin REST yana ƙyale tsarin buƙatun don samun dama da sarrafa tsarin NFVIS ta amfani da ƙayyadaddun ƙayyadaddun tsarin ayyuka marasa jiha. Ana iya samun cikakkun bayanai akan duk REST APIs a cikin jagorar Maganar API na NFVIS.
Lokacin da mai amfani ya ba da REST API, an kafa zama tare da NFVIS. Domin iyakance kasadar da ke da alaƙa da ƙin harin sabis, NFVIS ta ƙayyade adadin jimlar lokutan REST zuwa 100.

Farashin NFVIS Web Portal
Tashar tashar NFVIS ita ce web- tushen Interface Mai amfani da Zane wanda ke nuna bayani game da NFVIS. Tashar tashar ta gabatar da mai amfani da hanya mai sauƙi don daidaitawa da saka idanu NFVIS akan HTTPS ba tare da sanin NFVIS CLI da API ba.

Gudanar da Zama
Halin rashin ƙasa na HTTP da HTTPS yana buƙatar hanyar bibiyar masu amfani ta musamman ta amfani da ID na musamman da kukis.
NFVIS yana ɓoye zaman mai amfani. Ana amfani da sifar AES-256-CBC don ɓoye abun cikin zaman tare da ingantaccen HMAC-SHA-256 tag. An ƙirƙiri wani bazuwar 128-bit Initialization Vector don kowane aikin ɓoyewa.
Ana fara rikodin tantancewa lokacin da aka ƙirƙiri zaman portal. Ana share bayanin zama lokacin da mai amfani ya fita ko lokacin da zaman ya ƙare.
Tsohuwar lokacin ƙayyadaddun aiki don zaman portal shine mintuna 15. Koyaya, ana iya saita wannan don zaman na yanzu zuwa ƙimar tsakanin mintuna 5 zuwa 60 akan shafin Saituna. Za a fara fita ta atomatik bayan wannan

Abubuwan Tsaro 16

La'akarin Tsaro

HTTPS

lokaci. Ba a ba da izinin zama da yawa a cikin burauza ɗaya ba. Matsakaicin adadin zaman lokaci guda an saita shi zuwa 30. Tashar tashar NFVIS tana amfani da kukis don haɗa bayanai tare da mai amfani. Yana amfani da kaddarorin kuki masu zuwa don ingantaccen tsaro:
· Ƙaddamarwa don tabbatar da kuki ɗin ya ƙare lokacin da mai bincike ya rufe · httpSai kawai don sanya kuki ɗin ya kasa samuwa daga JavaScript · amintaccen wakili don tabbatar da kuki ɗin za a iya aikawa ta SSL kawai.
Ko da bayan an tabbatarwa, ana iya kai hare-hare kamar Buƙatun Buƙatun Rubutu (CSRF). A cikin wannan yanayin, mai amfani na ƙarshe zai iya aiwatar da ayyukan da ba a so ba da gangan a kan wani web aikace-aikacen da suke a halin yanzu an inganta su. Don hana wannan, NFVIS tana amfani da alamun CSRF don inganta kowane API REST da ake kira yayin kowane zama.
URL Juyawa A cikin hali web sabobin, lokacin da ba a sami shafi a kan web uwar garken, mai amfani yana samun saƙon 404; don shafukan da suka wanzu, suna samun shafin shiga. Tasirin tsaro na wannan shine cewa maharin na iya yin gwajin ƙarfin ƙarfi da sauƙi don gano shafuka da manyan fayiloli a sauƙaƙe. Don hana wannan akan NFVIS, duk babu URLs prefixed tare da na'urar IP ana tura su zuwa shafin shiga ta hanyar tashar tare da lambar amsa matsayi 301. Wannan yana nufin cewa ba tare da la'akari da URL wanda maharan ya nema, koyaushe za su sami shafin shiga don tantance kansu. Duk buƙatun uwar garken HTTP ana tura su zuwa HTTPS kuma an saita masu kai masu zuwa:
Zaɓuɓɓukan-Nau'in Abun-X · X-XSS-Kariya · Manufofin-Tsaron Abun ciki · Zaɓuɓɓukan-Frame-X
Kashe Portal An kunna damar shiga tashar tashar NFVIS ta tsohuwa. Idan ba kwa shirin yin amfani da portal, ana ba da shawarar musaki hanyar shiga ta hanyar amfani da wannan umarni:
Saita tashar tashar tashar tashar tashar tashar ta dakatar da ƙaddamarwa
Duk bayanan HTTPS zuwa kuma daga NFVIS suna amfani da Tsaro Layer Tsaro (TLS) don sadarwa a fadin hanyar sadarwa. TLS shine magaji ga Secure Socket Layer (SSL).

Abubuwan Tsaro 17

HTTPS

La'akarin Tsaro
Musafaha TLS ya ƙunshi tantancewa yayin da abokin ciniki ya tabbatar da takardar shaidar SSL ta uwar garken tare da ikon takardar shedar da ta ba ta. Wannan yana tabbatar da cewa uwar garken shine wanda ya ce shi ne, kuma abokin ciniki yana hulɗa tare da mai yankin. Ta hanyar tsoho, NFVIS tana amfani da takardar shedar sa hannu don tabbatar da ainihin sa ga abokan cinikinta. Wannan takaddun shaida tana da maɓallin jama'a 2048-bit don haɓaka tsaro na ɓoyewar TLS, tunda ƙarfin ɓoyewar yana da alaƙa kai tsaye da girman maɓalli.
Gudanarwar Takaddun shaida NFVIS yana haifar da takardar shedar SSL mai sa hannun hannu lokacin da aka fara shigar da ita. Mafi kyawun tsari ne na tsaro don maye gurbin wannan takaddun shaida tare da ingantacciyar takardar shaidar da aka sa hannu a kan Hukumar Takaddun Shaida (CA). Yi amfani da matakai masu zuwa don maye gurbin tsohowar takardar shedar sa hannu: 1. Ƙirƙirar Buƙatar Sa hannu ta Certificate (CSR) akan NFVIS.
Buƙatar Sa hannun Takaddun shaida (CSR) shine file tare da toshe rufaffen rubutu wanda aka bai wa Hukumar Takaddun shaida lokacin da ake neman takardar shedar SSL. Wannan file ya ƙunshi bayanai waɗanda yakamata a haɗa su cikin takaddun shaida kamar sunan ƙungiyar, sunan gama gari (sunan yanki), yanki, da ƙasa. The file Hakanan yana ƙunshe da maɓallin jama'a wanda yakamata a haɗa shi cikin takaddun shaida. NFVIS yana amfani da maɓallin jama'a 2048-bit tunda ƙarfin ɓoyewa ya fi girma tare da girman maɓalli mafi girma. Don samar da CSR akan NFVIS, gudanar da umarni mai zuwa:
nfvis# tsarin takardar shedar sa hannu-buƙatun [sunan gama-gari-sunan ƙasa-ƙungiya na yanki-sunan jiha] CSR file an ajiye shi azaman /data/intdatastore/download/nfvis.csr. . 2. Sami takardar shaidar SSL daga CA ta amfani da CSR. Daga mai masaukin baki, yi amfani da umarnin scp don zazzage Buƙatun Sa hannu na Takaddun shaida.
[myhost:/tmp] > scp -P 22222 admin@ :/data/intdatastore/download/nfvis.csrfile- suna>
Tuntuɓi ikon Takaddun shaida don bayar da sabuwar takardar shaidar uwar garken SSL ta amfani da wannan CSR. 3. Shigar da Takaddun Sa hannu na CA.
Daga uwar garken waje, yi amfani da umarnin scp don loda takaddun shaida file zuwa NFVIS zuwa bayanan / intdatastore/uploads/ directory.
[myhost:/tmp] > scp -P 22222 file> admin@ :/data/intdatastore/uploads
Shigar da takaddun shaida a cikin NFVIS ta amfani da umarni mai zuwa.
nfvis# tsarin takardar shaidar shigar-cert hanyar file: //data/intdatastore/uploads/<certificate file>
4. Canja zuwa amfani da Takaddun Sa hannu na CA. Yi amfani da umarni mai zuwa don fara amfani da takardar shedar CA da aka rattaba hannu a maimakon tsohuwar takardar shedar sa hannu.

Abubuwan Tsaro 18

La'akarin Tsaro

Shigar SNMP

nfvis(config)# takardar shaidar tsarin amfani-cert-type ca-signed

Shigar SNMP

Simple Network Management Protocol (SNMP) yarjejeniya ce ta Intanet don tattarawa da tsara bayanai game da na'urorin da aka sarrafa akan cibiyoyin sadarwar IP, da kuma canza wannan bayanin don canza halayen na'urar.
An haɓaka mahimman nau'ikan SNMP guda uku. NFVIS tana goyan bayan sigar SNMP 1, sigar 2c da sigar 3. Siffar SNMP 1 da 2 suna amfani da kirtani na al'umma don tantancewa, kuma ana aika waɗannan a cikin rubutu bayyananne. Don haka, shine mafi kyawun aikin tsaro don amfani da SNMP v3 maimakon.
SNMPv3 yana ba da amintacciyar dama ga na'urori ta amfani da abubuwa uku: - masu amfani, tantancewa, da ɓoyewa. SNMPv3 tana amfani da USM (Tsarin Tsaro na tushen mai amfani) don sarrafa damar samun bayanai ta hanyar SNMP. An saita mai amfani da SNMP v3 tare da nau'in tantancewa, nau'in keɓantawa da kuma kalmar wucewa. Duk masu amfani da ke raba rukuni suna amfani da sigar SNMP iri ɗaya, duk da haka, takamaiman saitunan matakin tsaro (kalmar sirri, nau'in ɓoyewa, da sauransu) an ƙayyade kowane mai amfani.
Tebur mai zuwa yana taƙaita zaɓuɓɓukan tsaro a cikin SNMP

Samfura

Mataki

Tabbatarwa

Encyption

Sakamako

babuAuthNoPriv

Zaren Al'umma No

Yana amfani da al'umma

kirtani wasa don

tabbaci.

v2c

babuAuthNoPriv

Zaren Al'umma No

Yana amfani da matches na al'umma don tantancewa.

babuAuthNoPriv

Sunan mai amfani

A'a

Yana amfani da sunan mai amfani

wasa don

tabbaci.

AuthNoPriv

Saƙon Digest 5 No

Yana bayarwa

(MD5)

tushen tabbaci

akan HMAC-MD5-96 ko

Amintaccen Hash

HMAC-SHA-96

Algorithm (SHA)

algorithms.

Abubuwan Tsaro 19

Tutocin Sanarwa na Doka

La'akarin Tsaro

Model v3

Matsayin authPriv

Tabbatar da MD5 ko SHA

Encyption

Sakamako

Rufe bayanan yana Bada

Standard (DES) ko tushen ingantaccen aiki

Na ci gaba

a kan

Daidaitaccen ɓoyewa HMAC-MD5-96 ko

(AES)

HMAC-SHA-96

algorithms.

Yana ba da DES Cipher algorithm a cikin Cipher Block Chaining Mode (CBC-DES)

AES ɓoyayyen algorithm da aka yi amfani da shi a cikin Cipher FeedBack Mode (CFB), tare da girman maɓalli 128-bit (CFB128-AES-128)

Tun lokacin da NIST ta karɓi shi, AES ya zama babban abin ɓoye ɓoye a cikin masana'antar. Don bin ƙaura daga masana'antar daga MD5 zuwa SHA, shine mafi kyawun al'adar tsaro don saita ƙa'idar tabbatar da SNMP v3 azaman SHA da ka'idar sirri azaman AES.
Don ƙarin cikakkun bayanai kan SNMP duba, Gabatarwa game da SNMP

Tutocin Sanarwa na Doka
Ana ba da shawarar cewa banner sanarwar doka ta kasance a kan duk zaman ma'amala don tabbatar da cewa an sanar da masu amfani game da aiwatar da manufofin tsaro da kuma abin da ake aiwatar da su. A wasu hukunce-hukuncen, shari'ar farar hula da/ko aikata laifuka na maharin da ya shiga cikin tsari ya fi sauƙi, ko ma da ake buƙata, idan an gabatar da tuta ta sanarwa ta doka, tana sanar da masu amfani da ba su izini ba cewa amfani da su a zahiri ba shi da izini. A wasu hukunce-hukuncen, ana iya kuma haramta sa ido kan ayyukan mai amfani da ba a ba da izini ba sai dai idan an sanar da su niyyar yin hakan.
Bukatun sanarwa na doka suna da rikitarwa kuma sun bambanta a kowane yanki da yanayi. Ko da a cikin hukunce-hukuncen, ra'ayoyin shari'a sun bambanta. Tattauna wannan batu tare da mai ba da shawara kan shari'a don tabbatar da cewa banner ɗin sanarwar ya cika buƙatun doka na kamfani, na gida, da na ƙasa da ƙasa. Wannan sau da yawa yana da mahimmanci don tabbatar da matakin da ya dace idan aka sami rashin tsaro. Tare da haɗin gwiwar lauyoyin shari'a na kamfani, maganganun da za a iya haɗa su a cikin banner ɗin sanarwar doka sun haɗa da:
· Sanarwa cewa shiga da amfani da tsarin yana ba da izini ta musamman ta musamman ma'aikata masu izini, kuma watakila bayani game da wanda zai ba da izinin amfani.
· Sanarwa cewa shiga da amfani da tsarin ba bisa ka'ida ba haramun ne, kuma ana iya fuskantar hukunci na farar hula da/ko na laifi.
Sanarwa cewa ana iya shigar da shiga da amfani da tsarin ba tare da ƙarin sanarwa ba, kuma ana iya amfani da bayanan da aka samu azaman shaida a kotu.
· Ƙarin takamaiman sanarwa da takamaiman dokokin gida ke buƙata.

Abubuwan Tsaro 20

La'akarin Tsaro

Sake saitin Tsohuwar masana'anta

Daga wani tsaro maimakon doka batu na view, Tutar sanarwar doka kada ta ƙunshi kowane takamaiman bayani game da na'urar, kamar sunanta, ƙirarta, software, wurin aiki, mai aiki ko mai shi saboda irin wannan bayanin na iya zama da amfani ga maharin.
Mai zuwa kamar hakaampbanner sanarwar doka wanda za'a iya nunawa kafin shiga:
HANYAR SAMUN WANNAN NA'AURAR HAR ANA HANA Dole ne ku sami izini bayyananne, izini don samun dama ko daidaita wannan na'urar. Ƙoƙari da ayyuka marasa izini don samun dama ko amfani
wannan tsarin na iya haifar da hukuncin farar hula da/ko na laifi. Duk ayyukan da aka yi akan wannan na'urar ana shigar da su kuma ana kulawa

Bayanan kula Gabatar da tuta sanarwar doka wanda lauyan lauyan kamfani ya amince.
NFVIS yana ba da damar daidaita banner da Saƙon Ranar (MOTD). Ana nuna banner ɗin kafin mai amfani ya shiga. Da zarar mai amfani ya shiga NFVIS, banner ɗin da aka siffanta tsarin yana ba da bayanin haƙƙin mallaka game da NFVIS, kuma saƙon-of-da-day (MOTD), idan an daidaita shi, zai bayyana, sannan ya biyo baya. layin umarni da sauri ko portal view, dangane da hanyar shiga.
Ana ba da shawarar cewa an aiwatar da banner ɗin shiga don tabbatar da cewa an gabatar da tutocin sanarwa na doka akan duk zaman samun damar sarrafa na'urar kafin a gabatar da saurin shiga. Yi amfani da wannan umarni don saita banner da MOTD.
nfvis(config) # banner-motd banner motd
Don ƙarin bayani game da umarnin banner, duba Sanya Banner, Saƙon ranar da Lokacin Tsari.

Sake saitin Tsohuwar masana'anta
Sake saitin masana'anta yana cire duk takamaiman bayanan abokin ciniki waɗanda aka ƙara zuwa na'urar tun lokacin jigilar sa. Bayanan da aka goge sun haɗa da daidaitawa, log files, Hotunan VM, bayanin haɗin kai, da shaidar shiga mai amfani.
Yana ba da umarni ɗaya don sake saita na'urar zuwa saitunan masana'anta, kuma yana da amfani a cikin yanayi masu zuwa:
Komawa Izinin Abu (RMA) don na'ura-Idan dole ne ka dawo da na'ura zuwa Cisco don RMA, yi amfani da sake saitin Tsohuwar masana'anta don cire duk takamaiman bayanan abokin ciniki.
Mayar da na'urar da aka lalata - Idan maɓalli ko takaddun shaidar da aka adana akan na'urar sun lalace, sake saita na'urar zuwa tsarin masana'anta sannan a sake saita na'urar.
Idan ana buƙatar sake amfani da na'urar iri ɗaya a wani wuri na daban tare da sabon tsari, sake saitin Factory Default don cire tsarin da ke akwai kuma kawo shi zuwa yanayi mai tsabta.

NFVIS yana ba da zaɓuɓɓuka masu zuwa a cikin tsoffin saiti na masana'anta:

Zabin Sake saitin masana'anta

Goge bayanai

Ajiye bayanai

duka

Duk tsari, hoton da aka ɗora Kwatancen ana kiyaye asusun gudanarwa kuma

files, VMs da logs.

za a canza kalmar sirri zuwa

Haɗuwa da na'urar zai zama kalmar sirri ta masana'anta.

rasa.

Abubuwan Tsaro 21

Cibiyar Gudanar da Kayan Aiki

La'akarin Tsaro

Zaɓin Sake saitin masana'anta duk-ban da-hotuna
duk-sai dai-hotuna-haɗin kai
masana'antu

Goge bayanai

Ajiye bayanai

Duk saitin hoton hoto, rijista

daidaitawa, VMs, da hotuna da rajistan ayyukan da aka ɗora

hoto files.

Ana ajiye asusun admin kuma

Haɗuwa da na'urar zai zama kalmar sirri za a canza zuwa

rasa.

ma'aikata tsoho kalmar sirri.

Duk saitin hoto, Hotuna, hanyar sadarwa da haɗin kai

hanyar sadarwa da haɗin kai

daidaitawar alaka, rajista

daidaitawa, VMs, da hotuna da aka ɗora, da rajistan ayyukan.

hoto files.

Ana ajiye asusun admin kuma

Haɗuwa da na'urar shine

admin wanda aka tsara a baya

samuwa.

za a adana kalmar sirri.

Duk tsarin saitin hoto, VMs, hoton da aka ɗora files, da kuma guntu.
Haɗuwa da na'urar za ta ɓace.

Tsarin hoto masu alaƙa da hotuna masu rijista
Ana riƙe asusun admin kuma za a canza kalmar sirri zuwa kalmar sirri ta masana'anta.

Dole ne mai amfani ya zaɓi zaɓin da ya dace a hankali bisa manufar sake saitin Tsohuwar Masana'anta. Don ƙarin bayani, duba Sake saitin zuwa Tsoffin Masana'antu.

Cibiyar Gudanar da Kayan Aiki
Cibiyar gudanar da ababen more rayuwa tana nufin hanyar sadarwar da ke ɗauke da zirga-zirgar jirgin sama mai sarrafawa da gudanarwa (kamar NTP, SSH, SNMP, syslog, da sauransu) don na'urorin kayan more rayuwa. Samun damar na'ura na iya kasancewa ta hanyar na'ura wasan bidiyo, da kuma ta hanyar hanyoyin sadarwa na Ethernet. Wannan zirga-zirgar jirgin sama mai sarrafawa da gudanarwa yana da mahimmanci ga ayyukan cibiyar sadarwa, samar da ganuwa cikin da sarrafawa akan hanyar sadarwa. Saboda haka, ingantaccen tsari kuma amintaccen hanyar sadarwa na sarrafa ababen more rayuwa yana da mahimmanci ga cikakken tsaro da ayyukan cibiyar sadarwa. Ɗaya daga cikin mahimman shawarwari don amintacciyar hanyar sadarwar sarrafa ababen more rayuwa shine rarrabuwar gudanarwa da zirga-zirgar bayanai don tabbatar da sarrafa nesa koda ƙarƙashin babban kaya da yanayin zirga-zirga. Ana iya samun wannan ta amfani da keɓantaccen tsarin gudanarwa.
Wadannan su ne hanyoyin aiwatar da hanyoyin gudanar da hanyoyin sadarwa:
Gudanar da Waje na Band
Cibiyar Gudanarwa ta Out-of-band (OOB) tana ƙunshe da hanyar sadarwa mai zaman kanta gaba ɗaya kuma ta bambanta a zahiri daga hanyar sadarwar bayanan da take taimakawa sarrafa. Wannan kuma wani lokaci ana kiransa da Cibiyar Sadarwar Sadarwar Bayanai (DCN). Na'urorin cibiyar sadarwa na iya haɗawa zuwa cibiyar sadarwar OOB ta hanyoyi daban-daban: NFVIS tana goyan bayan ginanniyar tsarin gudanarwa wanda za'a iya amfani dashi don haɗawa zuwa cibiyar sadarwar OOB. NFVIS yana ba da damar daidaitawa na ƙayyadaddun ƙayyadaddun ƙirar jiki, tashar MGMT akan ENCS, azaman keɓantaccen keɓancewar gudanarwa. Ƙuntata fakitin gudanarwa zuwa ƙayyadaddun musaya yana ba da iko mafi girma akan sarrafa na'urar, ta haka yana samar da ƙarin tsaro ga waccan na'urar. Sauran fa'idodin sun haɗa da ingantaccen aiki don fakitin bayanai akan musaya marasa gudanarwa, tallafi don haɓakar hanyar sadarwa,

Abubuwan Tsaro 22

La'akarin Tsaro

Gudanar da Ƙwararren Ƙwararren Ƙwaƙwalwa

buƙatar ƙarancin jerin abubuwan sarrafa damar shiga (ACLs) don taƙaita damar zuwa na'ura, da hana fakitin ambaliya daga isa ga CPU. Hakanan na'urorin cibiyar sadarwa na iya haɗawa zuwa cibiyar sadarwar OOB ta hanyoyin mu'amalar bayanai da aka keɓe. A wannan yanayin, yakamata a tura ACLs don tabbatar da cewa zirga-zirgar zirga-zirgar ababen da aka keɓe kawai ke sarrafa su. Don ƙarin bayani, duba Ƙaddamar da IP karɓar ACL da Port 22222 da Interface Interface ACL.
Gudanar da Ƙwararren Ƙwararren Ƙwaƙwalwa
Cibiyar sadarwa ta hanyar sadarwa ta hanyar sadarwa ta waje tana amfani da kayan aikin jiki iri ɗaya kamar hanyar sadarwar bayanai amma tana ba da rabuwar hankali ta hanyar rarrabuwar zirga-zirga, ta amfani da VLANs. NFVIS tana goyan bayan ƙirƙirar VLANs da gadoji masu kama da juna don taimakawa gano hanyoyin zirga-zirga daban-daban da raba zirga-zirga tsakanin VMs. Samun gadoji daban-daban da VLANs suna keɓance zirga-zirgar bayanan cibiyar sadarwar injin kama-da-wane da cibiyar sadarwar gudanarwa, don haka samar da rarrabuwar zirga-zirga tsakanin VMs da mai watsa shiri. Don ƙarin bayani duba Ƙaddamar da VLAN don Traffic Management NFVIS.
In-band Management
Cibiyar sadarwa ta in-band tana amfani da hanyoyi na zahiri da ma'ana iri ɗaya kamar zirga-zirgar bayanai. A ƙarshe, wannan ƙirar hanyar sadarwa tana buƙatar nazarin kowane abokin ciniki na haɗari da fa'idodi da farashi. Wasu la'akari gabaɗaya sun haɗa da:
· Cibiyar sadarwa ta OOB keɓe tana haɓaka gani da iko akan hanyar sadarwar koda lokacin abubuwan da suka faru.
· Isar da na'urorin sadarwa na cibiyar sadarwa akan hanyar sadarwa ta OOB yana rage damar wargaza bayanan da ke samar da ganuwa na cibiyar sadarwa mai mahimmanci.
· In-band management damar zuwa cibiyar sadarwa kayayyakin more rayuwa, runduna, da dai sauransu yana da m ga kammala asara a cikin wani al'amari na cibiyar sadarwa faru, cire duk cibiyar sadarwa ganuwa da kuma iko. Ya kamata a sanya madaidaitan sarrafa QoS don rage wannan abin da ya faru.
NFVIS yana fasalta musaya waɗanda aka keɓe don sarrafa na'ura, gami da tashoshin wasan bidiyo na serial da mu'amalar sarrafa Ethernet.
· Ana iya tura cibiyar sadarwar gudanarwa ta OOB akan farashi mai ma'ana, tunda zirga-zirgar hanyar sadarwar ba yawanci tana buƙatar babban bandwidth ko na'urorin aiki masu girma ba, kuma kawai tana buƙatar isasshiyar tashar tashar jiragen ruwa don tallafawa haɗin kai ga kowace na'urar kayan more rayuwa.
Kariyar Bayanin Ajiye A Gida
Kare Bayanan Hankali
NFVIS tana adana wasu mahimman bayanai a cikin gida, gami da kalmomin shiga da sirri. Ya kamata a kiyaye da sarrafa kalmomin shiga ta hanyar sabar AAA mai tsakiya. Koyaya, ko da an tura uwar garken AAA na tsakiya, ana buƙatar wasu kalmomin shiga da aka adana a cikin gida don wasu lokuta kamar koma baya a cikin yanayin sabar AAA ba samuwa, sunayen masu amfani na musamman, da sauransu. Waɗannan kalmomin shiga na gida da sauran mahimman bayanai.

Abubuwan Tsaro 23

File Canja wurin

La'akarin Tsaro

Ana adana bayanai akan NFVIS a matsayin hashes ta yadda ba zai yiwu a dawo da ainihin takaddun shaida daga tsarin ba. Hashing al'ada ce ta masana'antu da aka yarda da ita.

File Canja wurin
Files waɗanda ƙila za a iya canjawa wuri zuwa na'urorin NFVIS sun haɗa da hoton VM da haɓaka NFVIS files. A amintaccen canja wuri na files yana da mahimmanci don tsaron kayan aikin cibiyar sadarwa. NFVIS tana goyan bayan Secure Copy (SCP) don tabbatar da tsaron file canja wuri. SCP ya dogara da SSH don amintaccen tabbaci da sufuri, yana ba da damar amintaccen kwafi na ingantacciyar files.
An fara amintaccen kwafi daga NFVIS ta hanyar umarnin scp. Amintaccen kwafin (scp) yana bawa mai amfani kawai damar kwafi amintaccen kwafi files daga NFVIS zuwa tsarin waje, ko daga tsarin waje zuwa NFVIS.
Ma'anar kalmar scp shine:
scp
Muna amfani da tashar jiragen ruwa 22222 don uwar garken NFVIS SCP. Ta hanyar tsoho, an rufe wannan tashar jiragen ruwa kuma masu amfani ba za su iya amintar kwafi ba files cikin NFVIS daga abokin ciniki na waje. Idan akwai buƙatar SCP a file daga abokin ciniki na waje, mai amfani zai iya buɗe tashar ta amfani da:
saitunan tsarin ip-receive-acl (adireshi)/(mask lenth) sabis na fifiko na scpd (lambar) aikin karɓa
aikata
Don hana masu amfani shiga kundayen adireshi na tsarin, ana iya yin kwafi mai aminci kawai zuwa ko daga intdatastore:, extdatastore1:, extdatastore2:, usb: da nfs:, idan akwai. Hakanan za'a iya yin kwafi mai aminci daga rajistan ayyukan: da tallafin fasaha:

Shiga

Ana shigar da damar shiga NFVIS da canje-canjen tsarin aiki azaman rajistan ayyukan tantancewa don yin rikodin bayanai masu zuwa: · Wanene ya shiga na’urar · Yaushe mai amfani ya shiga · Menene mai amfani ya yi dangane da tsarin tsarin masauki da kuma yanayin rayuwar VM · Yaushe mai amfani ya shiga. kashewa · Ƙoƙarin samun nasara ba a yi nasara · Buƙatun tabbatar da gazawa · Buƙatun izini da ba a yi nasara ba
Wannan bayanin yana da matukar amfani ga binciken kwakwaf idan akwai yunƙuri mara izini ko samun dama, haka kuma don al'amuran canjin tsari da kuma taimakawa tsara canje-canjen gudanarwar ƙungiyar. Hakanan ana iya amfani da shi a ainihin lokacin don gano abubuwan da ba su da kyau waɗanda ke iya nuna cewa ana kai hari. Ana iya haɗa wannan bincike tare da bayanai daga ƙarin hanyoyin waje, kamar IDS da rajistan ayyukan Tacewar zaɓi.

Abubuwan Tsaro 24

La'akarin Tsaro

Tsaro na Injin Virtual

Duk mahimman abubuwan da suka faru akan NFVIS ana aika su azaman sanarwar taron zuwa masu biyan kuɗi na NETCONF kuma azaman syslogs zuwa saitunan sabar shiga ta tsakiya da aka saita. Don ƙarin bayani kan saƙonnin syslog da sanarwar taron, duba Karin bayani.
Tsaro na Injin Virtual
Wannan sashe yana bayyana fasalulluka na tsaro masu alaƙa da rajista, turawa da aiki na Injin Kaya akan NFVIS.
VNF amintaccen boot
NFVIS yana goyan bayan Buɗe Virtual Machine Firmware (OVMF) don ba da damar UEFI amintaccen taya don Injin Virtual wanda ke goyan bayan amintaccen taya. VNF Secure boot yana tabbatar da cewa kowane Layer na VM boot software an sanya hannu, gami da bootloader, kernel na tsarin aiki, da direbobin tsarin aiki.

Don ƙarin bayani duba, Secure Boot of VNFs.
Kariyar samun damar Console na VNC
NFVIS yana ƙyale mai amfani ya ƙirƙiri zaman Sadarwar Sadarwar Sadarwar Sadarwar Sadarwa (VNC) don samun dama ga tebur mai nisa na VM da aka tura. Don kunna wannan, NFVIS yana buɗe tashar jiragen ruwa da ƙarfi wanda mai amfani zai iya haɗawa ta amfani da su web mai bincike. Ana barin wannan tashar jiragen ruwa a buɗe don 60 seconds don uwar garken waje don fara zama zuwa VM. Idan ba a ga wani aiki ba a cikin wannan lokacin, tashar tashar jiragen ruwa tana rufe. An sanya lambar tashar tashar jiragen ruwa a hankali kuma ta haka ne ke ba da damar shiga na'urar wasan bidiyo na VNC na lokaci ɗaya kawai.
nfvis# vncconsole fara tura-sunan 1510614035 vm-name ROUTER vncconsole-url : 6005/vnc_auto.html
Nuna burauzar ku zuwa https:// :6005/vnc_auto.html zai haɗa zuwa na'urar wasan bidiyo na ROUTER VM na VNC.
Abubuwan Tsaro 25

Rufewar VM saitin masu canjin bayanai

La'akarin Tsaro

Rufewar VM saitin masu canjin bayanai
A lokacin ƙaddamar da VM, mai amfani yana ba da saitin rana-0 file don VM. Wannan file zai iya ƙunsar mahimman bayanai kamar kalmomin shiga da maɓalli. Idan an wuce wannan bayanin azaman rubutu bayyananne, yana bayyana a cikin log files da bayanan bayanan ciki a cikin bayyanannen rubutu. Wannan fasalin yana ba mai amfani damar tuta madaidaicin bayanan daidaitawa azaman mai hankali ta yadda ƙimar sa ta kasance rufaffen ta amfani da boye-boye AES-CFB-128 kafin a adana shi ko wuce zuwa tsarin tsarin ciki.
Don ƙarin bayani duba, VM Deployment Parameters.
Tabbacin Checksum don Rijistar Hoton Nesa
Don yin rijistar hoton VNF da ke nesa, mai amfani ya ƙayyade wurinsa. Ana buƙatar zazzage hoton daga tushen waje, kamar sabar NFS ko sabar HTTPS mai nisa.
Don sanin idan an sauke file yana da aminci don shigarwa, yana da mahimmanci don kwatanta filechecksum kafin amfani da shi. Tabbatar da checksum yana taimakawa tabbatar da cewa file ba a lalace ba yayin watsawar hanyar sadarwa, ko wani mugun abu ya gyara shi kafin ka sauke ta.
NFVIS tana goyan bayan checksum da checksum_algorithm zažužžukan don mai amfani don samar da abin da ake tsammani na checksum da checksum algorithm (SHA256 ko SHA512) da za a yi amfani da su don tabbatar da checksum na hoton da aka sauke. Ƙirƙirar hoto ta gaza idan adadin kuɗin bai dace ba.
Tabbacin Tabbacin Rijistar Hoto Mai Nisa
Don yin rijistar hoton VNF dake kan uwar garken HTTPS, za a buƙaci a sauke hoton daga sabar HTTPS mai nisa. Don saukar da wannan hoton amintacce, NFVIS tana tabbatar da takardar shaidar SSL na uwar garken. Mai amfani yana buƙatar ƙayyade ko dai hanyar zuwa takaddun shaida file ko abun ciki na tsarin PEM don ba da damar wannan amintaccen zazzagewa.
Ana iya samun ƙarin cikakkun bayanai a Sashe akan ingantaccen takaddun shaida don rajistar hoto
VM keɓewa da samar da albarkatu
Gine-gine na Ayyukan Sadarwa (NFV) ya ƙunshi:
· Virtualized network services (VNFs), wadanda su ne Virtual Machines da ke gudanar da aikace-aikacen software da ke sadar da ayyukan cibiyar sadarwa kamar na'ura mai ba da hanya tsakanin hanyoyin sadarwa, Firewall, Load balancer, da dai sauransu.
· Ayyukan hanyar sadarwa na abubuwan more rayuwa, wanda ya ƙunshi abubuwan abubuwan more rayuwa - ƙididdigewa, ƙwaƙwalwa, ajiya, da sadarwar, akan dandamali wanda ke goyan bayan software da ake buƙata da hypervisor.
Tare da NFV, ayyukan cibiyar sadarwa sun zama masu kama-da-wane don a iya gudanar da ayyuka da yawa akan sabar guda ɗaya. A sakamakon haka, ana buƙatar ƙarancin kayan aikin jiki, yana ba da damar haɓaka albarkatu. A cikin wannan mahalli, yana da mahimmanci a kwaikwayi albarkatu da aka sadaukar don VNFs masu yawa daga tsarin kayan aikin jiki guda ɗaya. Amfani da NFVIS, VMs za a iya tura su ta hanyar sarrafawa ta yadda kowane VM ya karɓi albarkatun da yake buƙata. Ana rarraba albarkatu kamar yadda ake buƙata daga yanayi na zahiri zuwa mahalli masu yawa. Shafukan VM guda ɗaya sun keɓance don haka sun keɓance, daban-daban, kuma amintattun wurare, waɗanda ba sa jayayya da juna don albarkatun da aka raba.
VMs ba za su iya amfani da albarkatu fiye da waɗanda aka tanadar ba. Wannan yana nisantar hana yanayin Sabis daga VM ɗaya yana cinye albarkatun. Sakamakon haka, CPU, ƙwaƙwalwar ajiya, cibiyar sadarwa da ma'ajiya ana kiyaye su.

Abubuwan Tsaro 26

La'akarin Tsaro
Warewa CPU

Warewa CPU

Tsarin NFVIS yana tanadin ƙira don kayan aikin kayan aikin da ke gudana akan mai watsa shiri. Sauran ma'auni suna samuwa don ƙaddamar da VM. Wannan yana ba da garantin cewa aikin VM baya shafar aikin NFVIS na mai masaukin baki. VMs masu ƙarancin jinkiri NFVIS a sarari suna keɓance maƙallan ƙididdiga zuwa ƙananan latency VMs waɗanda aka tura akan sa. Idan VM na buƙatar 2 vCPUs, an sanya shi 2 kwazo cores. Wannan yana hana rabawa da wuce gona da iri na ƙididdiga kuma yana ba da garantin aikin VMs masu ƙarancin latency. Idan adadin da ake samu ya yi ƙasa da adadin vCPUs da wani VM mara ƙarancin ƙarfi ya nema, ana hana turawa tunda ba mu da isassun albarkatu. VMs marasa ƙarancin latency NFVIS suna keɓance CPUs masu rarrafe zuwa VM marasa ƙarancin latency. Idan VM yana buƙatar 2 vCPUs, an sanya 2 CPUs. Waɗannan CPUs guda 2 ana iya rabawa tsakanin sauran VM marasa ƙarancin latency. Idan adadin CPUs ɗin da ke akwai ya yi ƙasa da adadin vCPUs da wani VM mara ƙarancin latency ya nema, har yanzu ana ba da izinin turawa saboda wannan VM zai raba CPU tare da VMs mara ƙarancin latency.
Rarraba Ƙwaƙwalwar Ƙwaƙwalwa
Kayan aikin NFVIS yana buƙatar takamaiman adadin ƙwaƙwalwar ajiya. Lokacin da aka tura VM, akwai dubawa don tabbatar da cewa ƙwaƙwalwar ajiyar da ke akwai bayan adana ƙwaƙwalwar da ake buƙata don abubuwan more rayuwa da VMs da aka tura a baya, ya isa sabon VM. Ba mu yarda da wuce gona da iri na VMs ba.
Abubuwan Tsaro 27

Keɓewar Ajiya
Ba a yarda VMs su isa ga mai watsa shiri kai tsaye ba file tsarin da ajiya.
Keɓewar Ajiya

La'akarin Tsaro

Dandalin ENCS yana goyan bayan ajiyar bayanan ciki (M2 SSD) da fayafai na waje. An shigar da NFVIS akan ma'ajiyar bayanai na ciki. Hakanan za'a iya tura VNFs akan wannan ajiyar bayanai na ciki. Mafi kyawun tsari ne na tsaro don adana bayanan abokin ciniki da tura aikace-aikacen abokin ciniki Injin Kaya akan fayafai na waje. Samun faifai na zahiri don tsarin files vs aikace-aikace files yana taimakawa wajen kare bayanan tsarin daga cin hanci da rashawa da matsalolin tsaro.
·
Keɓewar Interface
Single Tushen I/O Virtualization ko SR-IOV ƙayyadaddun bayanai ne wanda ke ba da damar keɓance albarkatun PCI Express (PCIe) kamar tashar tashar Ethernet. Amfani da SR-IOV ana iya sanya tashar Ethernet guda ɗaya don bayyana azaman maɗaukaki, dabam, na'urori na zahiri waɗanda aka sani da Ayyukan Virtual. Duk na'urorin VF akan waccan adaftan suna raba tashar sadarwa ta zahiri iri ɗaya. Baƙo na iya amfani da ɗaya ko fiye na waɗannan Ayyuka na Farko. A Virtual Aiki yana bayyana ga baƙo azaman katin cibiyar sadarwa, kamar yadda katin sadarwar al'ada zai bayyana ga tsarin aiki. Ayyukan Virtual suna da aikin kusa-ƙasa kuma suna ba da kyakkyawan aiki fiye da direbobi masu kama-da-wane da samun damar kwaikwayi. Ayyuka na Kaya suna ba da kariyar bayanai tsakanin baƙi akan uwar garken jiki iri ɗaya kamar yadda kayan aikin ke sarrafa bayanai da sarrafa su. NFVIS VNFs na iya amfani da cibiyoyin sadarwar SR-IOV don haɗawa zuwa tashar jiragen ruwa na WAN da LAN Backplane.
Abubuwan Tsaro 28

La'akarin Tsaro

Tabbataccen Tsarin Rayuwa

Kowane irin wannan VM ya mallaki hanyar sadarwa mai kama-da-wane da albarkatunsa masu alaƙa da ke samun kariyar bayanai tsakanin VMs.
Tabbataccen Tsarin Rayuwa
NFVIS yana biye da Secure Development Lifecycle (SDL) don software. Wannan tsari ne mai maimaitawa, wanda za'a iya aunawa wanda aka ƙera don rage lahani da haɓaka tsaro da juriya na hanyoyin Cisco. Cisco SDL yana aiwatar da ayyuka na jagorancin masana'antu da fasaha don gina amintattun mafita waɗanda ke da ƙarancin abubuwan da suka faru na tsaro na samfurin da aka gano. Kowane sakin NFVIS yana tafiya ta hanyar matakai masu zuwa.
Biye da Bukatun Tsaro na Samfur na Ciki da Kasuwa · Yin rijistar software na ɓangare na uku tare da ma'ajiya ta tsakiya a Sisiko don bin diddigin rauni · Lokaci-lokaci tare da facin software tare da sanannun gyara don CVEs. Zayyana software tare da Tsaro a hankali · Bi amintattun ayyukan coding kamar yin amfani da ingantaccen tsarin tsaro na gama gari kamar CiscoSSL, yana gudana.
Binciken Tsayayye da aiwatar da ingantaccen shigarwa don Hana allurar umarni, da sauransu · Amfani da kayan aikin Tsaro na Aikace-aikace kamar IBM AppScan, Nessus, da sauran kayan aikin ciki na Cisco.

Abubuwan Tsaro 29

Tabbataccen Tsarin Rayuwa

La'akarin Tsaro

Abubuwan Tsaro 30

Takardu / Albarkatu

CISCO Kasuwancin Sadarwar Sadarwar Sadarwar Ayyukan Kayan Aiki na Kayayyakin Kayayyakin Kaya [pdf] Jagorar mai amfani
Ayyukan Sadarwar Sadarwar Sadarwar Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Kayan Gida

Magana

Manual mai amfani

Ayyukan Cibiyar Sadarwar Sadarwar Haɓaka Software Software

Bayanin samfur

Ƙayyadaddun bayanai

La'akarin Tsaro

Shigarwa

Amintaccen Boot

Tabbataccen Ƙwararren Ƙwararren Na'ura (SUDI)

FAQ

Tambaya: Menene NFVIS?

Q: Ta yaya zan iya tabbatar da mutuncin hoton NFVIS ISO ko
inganta hoto?

Tambaya: Shin amintaccen taya yana kunna ta tsohuwa akan ENCS?

Tambaya: Menene manufar SUDI a cikin NFVIS?

Takardu / Albarkatu

Magana

Bar sharhi

Soke amsa

Ayyukan Cibiyar Sadarwar Sadarwar Haɓaka Software Software

Bayanin samfur

Ƙayyadaddun bayanai

La'akarin Tsaro

Shigarwa

Amintaccen Boot

Tabbataccen Ƙwararren Ƙwararren Na'ura (SUDI)

FAQ

Tambaya: Menene NFVIS?

Q: Ta yaya zan iya tabbatar da mutuncin hoton NFVIS ISO ko inganta hoto?

Tambaya: Shin amintaccen taya yana kunna ta tsohuwa akan ENCS?

Tambaya: Menene manufar SUDI a cikin NFVIS?

Takardu / Albarkatu

Magana

Labarai masu alaka

Bar sharhi

Soke amsa

Q: Ta yaya zan iya tabbatar da mutuncin hoton NFVIS ISO ko
inganta hoto?