Enterprise Network Basa Virtualization Infrastructure Software
Product Information
Zvinotsanangurwa
- NFVIS software shanduro: 3.7.1 uye gare gare
- RPM kusaina uye siginecha verification inotsigirwa
- Chengetedza bhutsu iripo (yakaremara neiyo default)
- Chengetedza Unique Device Identification (SUDI) nzira inoshandiswa
Chengetedzo Kufunga
Iyo NFVIS software inochengetedza chengetedzo kuburikidza neakasiyana
nzira:
- Mufananidzo Tamper Dziviriro: RPM kusaina uye siginecha simbisa
kune ese RPM mapakeji muISO uye kusimudzira mifananidzo. - RPM Kusaina: Yese RPM mapakeji muCisco Enterprise NFVIS ISO
uye kusimudzira mifananidzo yakasainwa kuve nechokwadi chekriptographic kutendeseka uye
chokwadi. - RPM Signature Verification: Siginicha yeese RPM mapakeji ndeye
yakasimbiswa isati yaiswa kana kusimudzira. - Mufananidzo Kutendeseka Verification: Hashi yeCisco NFVIS ISO mufananidzo
uye yekusimudzira mufananidzo inoburitswa kuti ive nechokwadi chekutendeseka kwekuwedzera
isiri-RPM files. - ENCS Yakachengeteka Boot: Chikamu cheiyo UEFI chiyero, inova nechokwadi chekuti iyo
bhutsu yemudziyo uchishandisa software yakavimbika chete. - Chengetedza Unique Device Identification (SUDI): Inopa mudziyo
ine chiziviso chisingachinji kuratidza chokwadi chayo.
Installation
Kuisa iyo NFVIS software, tevera matanho aya:
- Ita shuwa kuti mufananidzo wesoftware hauna kuve tamprakaitwa na
kuratidza kusaina kwayo uye kutendeseka. - Kana uchishandisa Cisco Enterprise NFVIS 3.7.1 uye gare gare, ita shuwa kuti
siginecha verification inopfuura panguva yekuisa. Kana zvikatadza,
kuiswa kuchabviswa. - Kana uchikwidziridza kubva kuCisco Enterprise NFVIS 3.6.x kuenda Kuburitswa
3.7.1, masiginecha eRPM anosimbiswa panguva yekusimudzira. Kana iyo
siginecha verification inotadza, chikanganiso chakanyorwa asi kukwidziridzwa kuri
kupera. - Kana kukwidziridzwa kubva kuRelease 3.7.1 kune gare gare kuburitswa, iyo RPM
masiginicha anosimbiswa kana mufananidzo wekusimudzira wanyoreswa. Kana
siginecha verification yakundikana, kukwidziridzwa kunobviswa. - Simbisa iyo hashi yeCisco NFVIS ISO mufananidzo kana kusimudzira mufananidzo
uchishandisa murairo:/usr/bin/sha512sum. Enzanisa hashi neyakaburitswa
<image_filepath>
hash kuti uve nechokwadi chekuvimbika.
Chengetedza Boot
Chengetedza bhutsu chinhu chinowanikwa pa ENCS (chakaremara nekusingaperi)
iyo inovimbisa kuti mudziyo chete bhutsu uchishandisa yakavimbika software. To
gonesa yakachengeteka boot:
- Tarisa kune zvinyorwa paSecure Boot yeHost zvimwe
ruzivo. - Tevedza mirairo yakapihwa yekugonesa yakachengeteka boot pane yako
mudziyo.
Chengetedza Unique Device Identification (SUDI)
SUDI inopa NFVIS chitupa chisingachinji, zvichisimbisa izvozvo
Icho chiri chechokwadi Cisco chigadzirwa uye kuve nechokwadi chekuzivikanwa kwayo mu
mutengi's inventory system.
FAQ
Mubvunzo: Chii chinonzi NFVIS?
A: NFVIS inomirira Network Function Virtualization
Infrastructure Software. Iyo ipuratifomu yesoftware inoshandiswa kutumira
uye maneja virtual network mabasa.
Mubvunzo: Ndingaona sei kuvimbika kweNFVIS ISO mufananidzo kana
kusimudzira mufananidzo?
A: Kuti uone kutendeseka, shandisa murairo
/usr/bin/sha512sum <image_filepath> uye enzanisa
iyo hashi ine hashi yakaburitswa yakapihwa naCisco.
Mubvunzo: Boot yakachengeteka inogoneswa nekusarudzika pa ENCS?
A: Kwete, bhutsu yakachengeteka yakadzimwa nekusarudzika paENCS. Zviri
inokurudzirwa kugonesa yakachengeteka boot kuti iwedzere kuchengetedzwa.
Q: Chinangwa cheSUDI muNFVIS ndechei?
A: SUDI inopa NFVIS ine yakasarudzika uye isingachinji chitupa,
kuve nechokwadi chechokwadi chayo seCisco chigadzirwa uye kufambisa icho
kucherechedzwa mutengi mutengi hurongwa.
Chengetedzo Kufunga
Ichi chitsauko chinotsanangura maficha ekuchengetedza uye kufunga muNFVIS. Inopa yakakwirira-yepamusoro pamusoroview yezvekuchengetedza zvine chekuita nezvikamu muNFVIS kuronga nzira yekuchengetedza yekutumira yakanangana newe. Iyo ine zvakare kurudziro pamusoro pekuchengetedza akanakisa maitiro ekusimbisa iwo epakati zvinhu zvekuchengetedza network. Iyo NFVIS software ine chengetedzo yakamisikidzwa kubva pakumisikidzwa kuburikidza neese software layer. Zvitsauko zvinotevera zvinotarisa pane izvi kunze-kwe-kwe-bhokisi chengetedzo zvinhu senge credential management, kutendeseka uye t.amper dziviriro, maseshini manejimendi, chengetedzo yekuwana mudziyo uye nezvimwe.
· Kuiswa, pane peji 2 · Chengetedza Unique Chishandiso Chiziviso, pane peji 3 · Chishandiso Kuwana, papeji 4
Chengetedzo Kufunga 1
Installation
Chengetedzo Kufunga
· Infrastructure Management Network, papeji 22 · Locally Stored Information Protection, papeji 23 · File Kuendesa, papeji 24 · Kutema, papeji 24 · Virtual Machine chengetedzo, papeji 25 · VM Isolation uye Resource provisioning, papeji 26 · Secure Development Lifecycle, papeji 29
Installation
Kuve nechokwadi chekuti iyo NFVIS software yanga isati yave tampered with , mufananidzo wesoftware unosimbiswa usati waiswa uchishandisa nzira dzinotevera:
Mufananidzo Tamper Kudzivirirwa
NFVIS inotsigira kusaina kweRPM uye siginecha yekusimbisa kune ese RPM mapakeji muISO uye kusimudzira mifananidzo.
RPM Kusaina
Ese maRPM mapakeji muCisco Enterprise NFVIS ISO uye kusimudzira mifananidzo inosainwa kuti ive nechokwadi chekriptographic kutendeseka uye chokwadi. Izvi zvinovimbisa kuti mapakeji eRPM anga asiri tampered with uye iyo RPM mapakeji anobva kuNFVIS. Iyo yakavanzika kiyi inoshandiswa kusaina iyo RPM mapakeji inogadzirwa uye yakachengetedzwa zvakachengeteka neCisco.
RPM Signature Verification
NFVIS software inosimbisa kusaina kweese RPM mapakeji isati yaiswa kana kusimudzira. Tafura inotevera inotsanangura maitiro eCisco Enterprise NFVIS kana siginecha yakundikana panguva yekuisa kana kusimudzira.
Scenario
Tsanangudzo
Cisco Enterprise NFVIS 3.7.1 uye gare gare kuiswa Kana siginecha verification ikatadza paunenge uchiisa Cisco Enterprise NFVIS, kuisirwa kunobviswa.
Cisco Enterprise NFVIS kusimudzira kubva ku3.6.x kuenda kuRelease 3.7.1
Iwo masiginecha eRPM anosimbiswa kana kukwidziridzwa kuri kuitwa. Kana iyo siginecha verification ikatadza, chikanganiso chinonyorwa asi kukwidziridzwa kwapera.
Cisco Enterprise NFVIS kusimudzira kubva Kuburitswa 3.7.1 Iwo masiginecha eRPM anosimbiswa kana kusimudzira
kuzoburitswa
mufananidzo wakanyoreswa. Kana iyo siginecha verification ikatadza,
kukwidziridzwa kunobviswa.
Image Kutendeseka Verification
RPM kusaina uye siginecha verification inogona kuitwa chete kune iyo RPM mapakeji anowanikwa muCisco NFVIS ISO uye kusimudzira mifananidzo. Kuve nechokwadi chekutendeseka kwezvese zvekuwedzera zvisiri RPM files inowanikwa muCisco NFVIS ISO mufananidzo, hashi yeCisco NFVIS ISO mufananidzo inoburitswa pamwe nemufananidzo. Saizvozvo, hashi yeCisco NFVIS yekusimudzira mufananidzo inoburitswa pamwe nemufananidzo. Kuti uone kuti hashi yeCisco
Chengetedzo Kufunga 2
Chengetedzo Kufunga
ENCS Chengetedza Boot
NFVIS ISO mufananidzo kana kusimudzira mufananidzo unofanana nehashi yakaburitswa neCisco, mhanyisa unotevera kuraira uye enzanisa iyo hashi neyakaburitswa hashi:
% /usr/bin/sha512sumFile> c2122783efc18b039246ae1bcd4eec4e5e027526967b5b809da5632d462dfa6724a9b20ec318c74548c6bd7e9b8217ce96b5ece93dcdd74fda5e01bb382ad607
<ImageFile>
ENCS Chengetedza Boot
Chengetedza bhutsu chikamu cheiyo Unified Extensible Firmware Interface (UEFI) chiyero chinova nechokwadi chekuti mudziyo unobhutsu uchingoshandisa software inovimbwa neOriginal Equipment Manufacturer (OEM). Kana NFVIS yatanga, iyo firmware inotarisa siginecha yebhoti software uye inoshanda sisitimu. Kana masiginecha ari echokwadi, bhutsu yemudziyo, uye firmware inopa kutonga kune inoshanda sisitimu.
Chengetedza bhutsu inowanikwa pa ENCS asi yakavharwa nekusarudzika. Cisco inokurudzira kuti ugonese bhutsu yakachengeteka. Kuti uwane rumwe ruzivo, ona Yakachengeteka Boot yeHost.
Chengetedza Unique Device Identification
NFVIS inoshandisa nzira inozivikanwa seSecure Unique Device Identification (SUDI), iyo inopa iyo isingachinjiki kuzivikanwa. Chitupa ichi chinoshandiswa kuona kuti mudziyo wacho ndeyechokwadi Cisco chigadzirwa, uye kuona kuti mudziyo wacho unozivikanwa kune mutengi's inventory system.
Iyo SUDI ndeye X.509v3 chitupa uye yakabatana kiyi-mbiri iyo inochengetedzwa muhardware. Chitupa cheSUDI chine chiziviso chechigadzirwa uye nhamba yeserial uye yakadzika midzi muCisco Public Key Infrastructure. Iwo makiyi maviri uye chitupa cheSUDI chinoiswa muhardware module panguva yekugadzira, uye kiyi yakavanzika haingambofa yakatengeswa kunze kwenyika.
Iyo SUDI-yakavakirwa chitupa inogona kushandiswa kuita yakatendeseka uye otomatiki gadziriso uchishandisa Zero Kubata Kugovera (ZTP). Izvi zvinogonesa yakachengeteka, kure-ku-boarding yemidziyo, uye inova nechokwadi chekuti orchestration server iri kutaura kune chaiyo NFVIS mudziyo. Iyo backend system inogona kuburitsa dambudziko kune NFVIS mudziyo kuti usimbise kuzivikanwa kwayo uye mudziyo uchapindura kune dambudziko uchishandisa yayo SUDI yakavakirwa chitupa. Izvi zvinobvumira iyo backend sisitimu kuti isangosimbisa zvichienderana neyayo kuti mudziyo wakakodzera uri panzvimbo chaiyo asiwo unopa encrypted configuration iyo inogona chete kuvhurwa nechaiyo mudziyo, nekudaro kuve nechokwadi chekuvanzika pakufamba.
Aya anotevera mafambiro ebasa anoratidza mashandisiro anoita NFVIS SUDI:
Chengetedzo Kufunga 3
Dhidhiyo Access Figure 1: Plug uye Play (PnP) Server kuvimbiswa
Chengetedzo Kufunga
Mufananidzo 2: Plug uye Play Device Kusimbisa uye Mvumo
Kuwanikwa kweMidziyo
NFVIS inopa nzira dzakasiyana dzekuwana dzinosanganisira console pamwe nekuwana kure kure zvichienderana nemaprotocol akadai seHTTPS neSSH. Imwe neimwe nzira yekuwana inofanirwa kuve yakanyatso reviewed uye yakagadziriswa. Ita shuwa kuti nzira dzekupinda dzinodiwa chete dzinogoneswa uye kuti dzakachengetedzwa nemazvo. Matanho akakosha ekuchengetedza zvese zviri zviviri kupindirana uye manejimendi kuwana kuNFVIS ndeye kuganhurira kuwanikwa kwemudziyo, kuganhurira kugona kwevashandisi vanotenderwa kune izvo zvinodiwa, uye kudzora nzira dzinotenderwa dzekuwana. NFVIS inova nechokwadi chekuti kuwanikwa kunopihwa kune vashandisi vane chokwadi uye vanogona kuita chete zviito zvakatenderwa. Kuwanikwa kwemudziyo kwakarogwa kuti kuongororwe uye NFVIS inovimbisa kuvanzika kwe data rakachengetwa munharaunda. Zvakakosha kumisa kudzora kwakakodzera kuitira kudzivirira kupinda kuNFVIS kusina mvumo. Zvikamu zvinotevera zvinotsanangura maitiro akanakisa uye magadzirirwo ekuita izvi:
Chengetedzo Kufunga 4
Chengetedzo Kufunga
Enforced Password Shanduko pakutanga Login
Enforced Password Shanduko pakutanga Login
Default credentials inogara iri sosi yezviitiko zvekuchengetedza zvigadzirwa. Vatengi vanowanzo kanganwa kushandura zvitupa zvekupinda vachisiya masisitimu avo akavhurika kurwisa. Kuti udzivise izvi, mushandisi weNFVIS anomanikidzwa kushandura password mushure mekupinda kwekutanga uchishandisa zvitupa (zita rekushandisa: admin uye password Admin123 #). Kuti uwane rumwe ruzivo, ona Kuwana NFVIS.
Kurambidza Kukanganisa Kwekupinda
Unogona kudzivirira kusadzivirirwa kweduramazwi uye Denial of Service (DoS) kurwiswa nekushandisa zvinotevera maficha.
Kusimbisa password Yakasimba
Nzira yekusimbisa inongosimba sezvimbo zvayo. Nechikonzero ichi, zvakakosha kuve nechokwadi chekuti vashandisi vane mapassword akasimba. NFVIS inotarisa kuti password yakasimba yakagadziriswa sei maererano nemitemo inotevera: Password inofanira kuva:
· Kanenge kavara kadiki kadiki · Kanenge kavara kadiki · Inhamba imwe chete · Inenge imwe chete yemavara akakosha aya: hashi (#), underscore (_), hyphen (-), asterisk (*), kana mubvunzo.
maka (?) · Mavara manomwe kana kudarika · Pasiwedhi kureba kunofanira kuva pakati pe7 ne128 mavara.
Kugadzirisa Hurefu Hushoma hweMapassword
Kushaikwa kwekuoma kwepassword, kunyanya kureba kwepassword, kunoderedza zvakanyanya nzvimbo yekutsvaga apo vanorwisa vanoyedza kufungidzira mapassword evashandisi, zvichiita kuti kurwisa kwechisimba kuve nyore. Mushandisi we admin anogona kugadzirisa hurefu hudiki hunodiwa pamapassword evashandisi vese. Hurefu hudiki hunofanirwa kuva pakati pe7 ne128 mavara. Nekumisikidza, hurefu hudiki hunodiwa papassword hunoiswa kune 7 mavara. CLI:
nfvis(config)# rbac chokwadi min-pwd-kureba 9
Purogiramu inonzi
/api/config/rbac/authentication/min-pwd-length
Kugadzirisa Password Hupenyu hwose
Iyo password yehupenyu hwese inotaridza kuti inguva yakareba sei password inogona kushandiswa mushandisi asati adiwa kuti achinje.
Chengetedzo Kufunga 5
Deredza kushandisa zvekare password
Chengetedzo Kufunga
Mushandisi we admin anogona kugadzirisa hushoma uye hurefu hwehupenyu hwese mapassword evashandisi vese uye simbisa mutemo kuti utarise izvi zvakakosha. Iyo yekusarudzika yehushoma hwehupenyu kukosha yakasetwa kune 1 zuva uye iyo yekusarudzika yakanyanya kukosha yehupenyu inoiswa kumazuva makumi matanhatu. Kana huwandu hwehupenyu hushoma hunogadziriswa, mushandisi haakwanise kushandura password kusvika nhamba yakatarwa yemazuva yapfuura. Saizvozvo, kana huwandu hwehupenyu hwese huchigadziriswa, mushandisi anofanira kushandura password isati yatarwa nhamba yemazuva apfuura. Kana mushandisi akasachinja password uye nhamba yakatarwa yemazuva apfuura, chiziviso chinotumirwa kumushandisi.
Ziva Iyo hushoma uye hurefu hwehupenyu hwakakosha uye mutemo wekutarisa kune aya makoshero haushandiswe kune admin mushandisi.
CLI:
gadzirisa terminal rbac authentication password-hupenyu hwese simbisa chokwadi min-mazuva 2 max-mazuva 30 kuzvipira
Purogiramu inonzi
/api/config/rbac/authentication/password-lifetime/
Deredza kushandisa zvekare password
Pasina kudzivirira kushandiswa kwemapassword apfuura, kupera kwepassword hakuna zvakunobatsira sezvo vashandisi vanogona kungochinja password vozoidzosera kune yekutanga. NFVIS inotarisa kuti password nyowani haina kufanana neimwe ye5 yakamboshandiswa password. Imwe inosiya mutemo uyu ndeyekuti mushandisi we admin anogona kushandura password kune iyo default password kunyangwe yaive imwe ye5 yakamboshandiswa password.
Dzora Frequency yekuedza kupinda
Kana wezera ari kure akatenderwa kupinda nhamba isingaverengeki yenguva, inogona kupedzisira yakwanisa kufungidzira zvitupa zvekupinda nechisimba. Sezvo mapassword ari nyore kufungidzira, uku kurwiswa kwakajairika. Nekudzikamisa chiyero icho vezera vanogona kuedza kupinda, isu tinodzivirira kurwiswa uku. Isu tinodzivirirawo kushandisa zviwanikwa zvehurongwa mukusimbisa zvisiri izvo izvi hutsinye-simba rekupinda kuyedza izvo zvinogona kugadzira Denial of Service kurwisa. NFVIS inomanikidza kuvharika kwemaminetsi mashanu mushure megumi atadza kuedza kupinda.
Dzima maakaundi evashandisi asingashande
Kutarisisa zviitiko zvemushandisi uye kudzima asina kushandiswa kana stale mushandisi maakaundi kunobatsira kuchengetedza sisitimu kubva mukurwiswa kwemukati. Maakaundi asina kushandiswa anofanira kupedzisira abviswa. Mushandisi weadmin anogona kuita mutemo wekumaka maakaundi emushandisi asina kushandiswa seasingaite uye kugadzirisa huwandu hwemazuva mushure meiyo isina kushandiswa account account inomakwa seisingaite. Kana yangonzi isingaite, mushandisi iyeye haakwanise kupinda muhurongwa. Kubvumira mushandisi kupinda muhurongwa, mushandisi we admin anogona kumisa account yemushandisi.
Ziva Iyo nguva yekusaita uye mutemo wekutarisa iyo yekusaita nguva haishandiswe kune admin mushandisi.
Chengetedzo Kufunga 6
Chengetedzo Kufunga
Kugadzira Iyo Isingashande Mushandisi Akaundi
Iyi inotevera CLI uye API inogona kushandiswa kugadzirisa kuisirwa kwekusaita account. CLI:
gadzirisa terminal rbac authentication account-kusaita simbisa kusaita kwechokwadi-mazuva makumi matatu kuzvipira
Purogiramu inonzi
/api/config/rbac/authentication/account-kusaita/
Iko kukosha kwekusashanda-mazuva ndeye 35.
Kumisikidza Iyo Isingashande Mushandisi Akaundi Iyo admin mushandisi anogona kumisa account yemushandisi asingashande achishandisa inotevera CLI uye API: CLI:
gadzirisa terminal rbac authentication vashandisi mushandisi muenzi_mushandisi activate commit
Purogiramu inonzi
/api/operations/rbac/authentication/users/username/activate
Simbisa kuseta kweBIOS uye CIMC Password
Tafura 1: Feature History Table
Feature Name
Kuburitsa Ruzivo
Simbisa Kugadzwa kweBIOS uye CIMC NFVIS 4.7.1 Mapassword
Tsanangudzo
Iyi ficha inomanikidza mushandisi kuti achinje iyo default password yeCIMC neBIOS.
Zvirambidzo zveKusimbisa Kugadzika kweBIOS uye CIMC Password
· Ichi chikamu chinotsigirwa chete paCisco Catalyst 8200 UCPE uye Cisco ENCS 5400 mapuratifomu.
· Ichi chimiro chinotsigirwa chete pane patsva kuisa yeNFVIS 4.7.1 uye gare gare kuburitswa. Kana ukakwidziridza kubva kuNFVIS 4.6.1 kuenda kuNFVIS 4.7.1, chimiro ichi hachitsigirwe uye haukurudzirwe kugadzirisa zvakare BIOS neCIMS password, kunyangwe mapassword eBIOS neCIMC asina kugadziridzwa.
Ruzivo Nezve Kusimbisa Kugadzika kweBIOS uye CIMC Mapassword
Iyi ficha inogadzirisa gaka rekuchengetedza nekumanikidza kuseta patsva kweBIOS neCIMC mapassword mushure mekuiswa patsva kweNFVIS 4.7.1. Iyo yakasarudzika CIMC password ipassword uye iyo default BIOS password haina password.
Kuti ugadzirise gap rekuchengetedza, unomanikidzwa kugadzirisa BIOS neCIMC passwords mu ENCS 5400. Panguva yekuiswa patsva kweNFVIS 4.7.1, kana BIOS neCIMC passwords dzisina kuchinjwa uye dzichiri
Chengetedzo Kufunga 7
Kugadzirisa Examples yeKusimbisa Resetting yeBIOS uye CIMC Mapassword
Chengetedzo Kufunga
iwo mapassword akasarudzika, wobva wakurudzirwa kuti uchinje ese mapassword eBIOS neCIMC. Kana imwe chete yadzo ichida kusetwa patsva, unokurudzirwa kuseta pasiwedhi kune icho chete chikamu. Cisco Catalyst 8200 UCPE inoda chete password yeBIOS uye saka chete BIOS password reset inokurudzirwa, kana isati yatoiswa.
Ziva Kana ukasimudzira kubva pane chero yakamboburitswa kuenda kuNFVIS 4.7.1 kana yakazoburitswa, unogona kushandura mapassword eBIOS neCIMC uchishandisa hostaction change-bios-password newpassword kana hostaction change-cimc-password newpassword commands.
Kuti uwane rumwe ruzivo nezve BIOS neCIMC mapassword, ona BIOS uye CIMC Password.
Kugadzirisa Examples yeKusimbisa Resetting yeBIOS uye CIMC Mapassword
1. Paunoisa NFVIS 4.7.1, unofanira kutanga wagadzirisa iyo default admin password.
Cisco Network Function Virtualization Infrastructure Software (NFVIS)
NFVIS Shanduro: 99.99.0-1009
Copyright (c) 2015-2021 neCisco Systems, Inc. Cisco, Cisco Systems, uye Cisco Systems logo zviratidzo zvekutengesa zvakanyoreswa zveCisco Systems, Inc. uye/kana masangano ayo muUS nedzimwe nyika.
Iwo ekodzero dzemamwe mabasa ari musoftware iyi ndeevamwe vechitatu uye anoshandiswa uye akagoverwa pasi pezvibvumirano zverezinesi rechitatu. Zvimwe zvinoumba software iyi zvine rezinesi pasi peGNU GPL 2.0, GPL 3.0, LGPL 2.1, LGPL 3.0 uye AGPL 3.0.
admin yakabatana kubva pa10.24.109.102 uchishandisa ssh pane nfvis admin yakadzikwa nemagwaro ekutanga Ndokumbira upe password inogutsa zvinotevera maitiro:
1.Angangoita vara duku rimwe chete 2.Angangoita vara guru rimwe chete 3.Kanenge nhamba imwe chete 4.At least one special character kubva # _ - * ? 5.Kureba kunofanira kuva pakati pe7 ne128 mavara Ndokumbira udzore password : Ndokumbira udzore password:
Resetting admin password
2. PaCisco Catalyst 8200 UCPE uye Cisco ENCS 5400 mapuratifomu paunoisa patsva yeNFVIS 4.7.1 kana kuti gare gare inobudiswa, unofanira kuchinja mapassword eBIOS neCIMC. Kana mapassword eBIOS neCIMC asina kugadziridzwa kare, sisitimu inokukurudzira kuti udzorere mapassword eBIOS neCIMC eCisco ENCS 5400 uye chete password yeBIOS yeCisco Catalyst 8200 UCPE.
Nyowani admin password yakaiswa
Ndokumbira upe password yeBIOS inogutsa zvinotevera zvinodiwa: 1. Vara diki rimwe chete 2. Vangangoita vara guru rimwe chete 3. Nhamba imwe chete 4. Kavara kamwe kakakosha kubva pa#, @ kana _ 5. Hurefu hunofanira kuva pakati 8 ne20 mavara 6. Haafanire kunge aine chero anotevera tambo (case sensitive): bios 7. First character cannot be #
Chengetedzo Kufunga 8
Chengetedzo Kufunga
Simbisa BIOS uye CIMC Password
Ndokumbira ugadzirise password yeBIOS : Ndokumbira udzore password yeBIOS : Ndokumbira upe password yeCIMC inogutsa zvinotevera maitiro:
1 tambo dzinotevera (case sensitive): admin Ndokumbira ugadzirise pasiwedhi yeCIMC: Ndokumbira uisezve password yeCIMC:
Simbisa BIOS uye CIMC Password
Kuti uone kana mapassword eBIOS neCIMC ashandurwa zvinobudirira, shandisa irogi yeshow nfvis_config.log | sanganisira BIOS kana kuratidza log nfvis_config.log | sanganisira mirairo yeCIMC:
nfvis# ratidza log nfvis_config.log | kusanganisira BIOS
2021-11-16 15:24:40,102 INFO
[hostaction:/system/settings] [] BIOS password shandukoinobudirira
Unogonawo kudhawunirodha nfvis_config.log file uye simbisa kana mapassword akaiswa patsva zvinobudirira.
Kubatanidzwa nekunze kweAAA maseva
Vashandisi vanopinda kuNFVIS kuburikidza ne ssh kana iyo Web UI. Chero zvazvingaitika, vashandisi vanofanirwa kuve nechokwadi. Ndokureva kuti, mushandisi anofanirwa kuunza zvinyorwa zvepassword kuti awane mukana.
Kana mushandisi achinge atenderwa, zvese zvinoitwa nemushandisi iyeye zvinofanirwa kupihwa mvumo. Kureva kuti, vamwe vashandisi vanogona kubvumidzwa kuita mamwe mabasa, nepo vamwe vasingadaro. Izvi zvinonzi mvumo.
Zvinokurudzirwa kuti sevha yepakati yeAAA iiswe kuti isimbise-mushandisi wega wega, AAA-based login authentication yeNFVIS kuwana. NFVIS inotsigira RADIUS uye TACACS mapuroteni ekuyananisa kuwana network. Pasevha yeAAA, maropafadzo mashoma ekuwana chete anofanirwa kupihwa kune vashandisi vane chokwadi maererano nezvavanoda kuwana. Izvi zvinoderedza kuratidzwa kune zvese zvakashata uye zvisina nemaune ekuchengetedza zviitiko.
Kuti uwane rumwe ruzivo nezve chokwadi chekunze, ona Kugadzira RADIUS uye Kugadzira TACACS+ Server.
Authentication Cache yeExternal Authentication Server
Feature Name
Kuburitsa Ruzivo
Authentication Cache yeExternal NFVIS 4.5.1 Authentication Server
Tsanangudzo
Iyi ficha inotsigira TACACS kuvimbiswa kuburikidza neOTP paNFVIS portal.
Iyo NFVIS portal inoshandisa imwechete-Nguva Pasiwedhi (OTP) kune ese maAPI mafoni mushure mekutanga kusimbiswa. Iyo API inofona inokundikana nekukurumidza kana OTP yapera. Iyi ficha inotsigira TACACS OTP kuvimbiswa neNFVIS portal.
Mushure mekunge wanyatsoita chokwadi kuburikidza nesevha yeTACACS uchishandisa OTP, NFVIS inogadzira hashi yekupinda ichishandisa zita rekushandisa neOTP uye inochengeta iyi hashi kukosha munharaunda. Izvi zvakachengetwa munzvimbo ine hashi kukosha
Chengetedzo Kufunga 9
Role Based Access Control
Chengetedzo Kufunga
nguva yekupera stamp yakabatana nayo. Nguva stamp ine kukosha kwakafanana neiyo SSH sesheni idle timeout kukosha iri maminetsi gumi nemashanu. Zvese zvikumbiro zvinozotevera zvehuchokwadi zvine zita rekushandisa zvinotenderwa zvichipesana neiyi hashi kukosha kwenzvimbo kutanga. Kana huchokwadi hukatadza neiyo hashi yenzvimbo, NFVIS inosimbisa chikumbiro ichi neTACACS server uye inogadzira nyowani hashi yekupinda kana chokwadi chabudirira. Kana hashi yekupinda yatovepo, nguva yayo stamp inogadziriswa kusvika kumaminitsi gumi nemashanu.
Kana iwe ukabviswa kubva paTACACS server mushure mekubudirira kupinda muportal, unogona kuramba uchishandisa portal kusvika iyo hashi yekupinda muNFVIS yapera.
Paunobuda pachena kubva paNFVIS portal kana kuvharirwa kunze nekuda kwekusaita nguva, iyo portal inodaidza API itsva kuzivisa NFVIS backend kuti ibvise hashi yekupinda. Iyo cache yechokwadi uye zvese zvayapinda zvinobviswa mushure meNFVIS reboot, fekitori reset, kana kusimudzira.
Role Based Access Control
Kudzikamisa network kuwana kwakakosha kumasangano ane vashandi vazhinji, anoshandisa makondirakiti kana mvumo yekupinda kune vechitatu mapato, sevatengi nevatengesi. Mumamiriro ezvinhu akadaro, zvakaoma kutarisa kuwana network zvinobudirira. Pane kudaro, zviri nani kudzora izvo zvinosvikirika, kuitira kuchengetedza iyo inonzwisisika data uye yakakosha maapplication.
Role-based access control (RBAC) inzira yekurambidza kupinda kwenetiweki zvichienderana nemabasa evashandisi vega mukati mebhizinesi. RBAC inobvumira vashandisi kuwana ruzivo rwavanoda chete, uye inovadzivirira kuwana ruzivo rusinei navo.
Basa remushandi mubhizinesi rinofanirwa kushandiswa kuona mvumo dzakapihwa, kuitira kuti ive nechokwadi chekuti vashandi vane rombo rakanaka havakwanise kuwana ruzivo rwakadzama kana kuita mabasa akakosha.
Aya anotevera evashandisi mabasa uye neropafadzo zvinotsanangurwa muNFVIS
Basa remushandisi
Ropafadzo
Administrator
Inogona kugadzirisa zvese zviripo uye kuita mabasa ese kusanganisira kuchinja kwevashandisi mabasa. Mutungamiri haakwanise kudzima zvivakwa zvakakosha kuNFVIS. Basa remushandisi weAdmin harigone kuchinjwa; inogara iri "vatariri".
Operators
Inogona Kutanga uye kumisa VM, uye view ruzivo rwese.
Auditors
Ndivo vashandisi vane ropafadzo shoma. Vane mvumo yeKuverenga-chete uye nekudaro, havagone kugadzirisa chero zvigadziriso.
Mabhenefiti eRBAC
Pane akati wandei mabhenefiti ekushandisa RBAC kurambidza zvisina kufanira network kuwana zvichienderana nemabasa evanhu mukati mesangano, kusanganisira:
· Kuvandudza kushanda zvakanaka.
Kuve neakafanotsanangurwa mabasa muRBAC kunoita kuti zvive nyore kusanganisa vashandisi vatsva vane rombo rakanaka kana kushandura mabasa evashandisi varipo. Iyo zvakare inocheka pasi pane mukana wekukanganisa kana mvumo yemushandisi ichipihwa.
· Kuwedzera kutevedza.
Chengetedzo Kufunga 10
Chengetedzo Kufunga
Role Based Access Control
Sangano rega rega rinofanirwa kutevedzera mitemo yemuno, yenyika uye yemubatanidzwa. Makambani anowanzofarira kushandisa maRBAC masisitimu kuti asangane nezvinotemerwa uye zviri pamutemo zvinodiwa kuvanzika uye kuvanzika nekuti vatariri nemadhipatimendi eIT vanogona kunyatso gadzirisa mawanirwo nekushandiswa kwedata. Izvi zvinonyanya kukosha kune masangano emari uye makambani ezvehutano anogadzirisa data rakadzama.
· Kuderedza mari. Nekusabvumira mushandisi kuwana mamwe maitiro uye maapplication, makambani anogona kuchengetedza kana kushandisa zviwanikwa zvakaita setiweki bandwidth, ndangariro uye kuchengetedza nenzira inodhura.
· Kudzikira njodzi yekutyorwa uye kuburitswa kwedata. Kuita RBAC kunoreva kuganhurira kuwana ruzivo rwakadzama, nokudaro kuderedza mukana wekutyorwa kwedata kana kudonha kwedata.
Maitiro akanakisa ekuita-based-based access control kuita · Semunhu maneja, tarisa runyorwa rwevashandisi uye upe vashandisi kumabasa akafanotsanangurwa. For exampuye, mushandisi "networkadmin" inogona kugadzirwa uye kuwedzerwa kuboka revashandisi "vatariri".
gadzira terminal rbac yekusimbisa vashandisi gadzira-mushandisi zita networkadmin password Test1_pass basa revatariri
Cherechedza Mapoka evashandisi kana mabasa anogadzirwa nehurongwa. Iwe haugone kugadzira kana kugadzirisa boka revashandisi. Kuti uchinje password, shandisa iyo rbac yekutendesa vashandisi mushandisi shanduko-password command mune yepasirese gadziriso modhi. Kuti uchinje basa remushandisi, shandisa iyo rbac yekutendesa vashandisi mushandisi shanduko-yechinzvimbo kuraira mune yepasirese gadziriso modhi.
· Kumisa maakaundi evashandisi vasingachadi kuwana.
gadzirisa terminal rbac yekusimbisa vashandisi kudzima-mushandisi zita bvunzo1
· Nguva nenguva ita ongororo yekuongorora mabasa, vashandi vavanenge vapihwa uye mawaniro anotenderwa pabasa rega rega. Kana mushandisi akaonekwa aine mukana usina kufanira kune imwe system, shandura basa remushandisi.
Kuti uwane rumwe ruzivo ona, Vashandisi, Mabasa, uye Kusimbisa
Granular Role-Based Access Control Kutanga kubva kuNFVIS 4.7.1, iyo Granular Role-Based Access Control inotangwa. Ichi chidimbu chinowedzera chirongwa chitsva cheboka rezvishandiso chinobata VM neVNF uye chinokutendera kuti upe vashandisi kuboka kudzora kuwana VNF, panguva yekutumirwa kweVNF. Kuti uwane rumwe ruzivo, ona Granular Role-Based Access Control.
Chengetedzo Kufunga 11
Dzora Kuwanikwa Kwemudziyo
Chengetedzo Kufunga
Dzora Kuwanikwa Kwemudziyo
Vashandisi vagara vachibatwa vasingazive nekurwiswa nemaitiro avakange vasina kuchengetedza nekuti vaisaziva kuti iwo maficha akagoneswa. Masevhisi asina kushandiswa anowanzo kusara aine zvigadziriso zvisina kuchengetedzwa nguva dzose. Aya masevhisi anogona kunge ari kushandisa mapassword ekutanga. Mamwe masevhisi anogona kupa anorwisa nyore kuwana ruzivo rwekuti sei server iri kushanda kana kuti network yakamiswa sei. Zvikamu zvinotevera zvinotsanangura kuti NFVIS inodzivirira sei njodzi dzakadai dzekuchengetedza:
Attack vector kuderedza
Chero chidimbu chesoftware chinogona kunge chine kusagadzikana kwekuchengetedza. More software zvinoreva nzira dzakawanda dzekurwisa. Kunyangwe pasina njodzi dzinozivikanwa neveruzhinji panguva yekubatanidzwa, kusagadzikana kungangoonekwa kana kuburitswa mune ramangwana. Kuti udzivise mamiriro akadai, iwo chete masoftware mapakeji akakosha kune NFVIS mashandiro anoiswa. Izvi zvinobatsira kudzikisira kusasimba kwesoftware, kuderedza kushandiswa kwezviwanikwa, uye kuderedza rimwe basa kana matambudziko awanikwa nemapakeji iwayo. Yese yechitatu-bato software inosanganisirwa muNFVIS inonyoreswa pane yepakati dhatabhesi muCisco kuitira kuti Cisco ikwanise kuita chikamu chekambani yakarongeka mhinduro (Yemutemo, Chengetedzo, nezvimwewo). Mapakeji eSoftware anogarwa nguva nenguva mukuburitswa kwega kwega kune inozivikanwa Common Vulnerabilities uye Exposures (CVEs).
Kugonesa madoko akakosha chete nekusarudzika
Iwo chete masevhisi anodiwa chaizvo kumisikidza uye kubata NFVIS anowanikwa nekusarudzika. Izvi zvinobvisa kuedza kwemushandisi kunodiwa kugadzirisa mafirewall uye kuramba kuwana kune zvisina basa masevhisi. Iwo chete masevhisi anogoneswa nekusarudzika akanyorwa pazasi pamwe nemadoko avanovhura.
Vhura Port
Service
Tsanangudzo
22 / TCP
SSH
Chengetedza Socket Shell yekure kure yekuraira-mutsara kuwana kuNFVIS
80 / TCP
HTTP
Hypertext Transfer Protocol yeNFVIS portal yekuwana. Yese traffic yeHTTP inotambirwa neNFVIS inotungamirwa kuchiteshi 443 yeHTTPS
443 / TCP
HTTPS
Hypertext Transfer Protocol Yakachengeteka kune yakachengeteka NFVIS portal kupinda
830 / TCP
NECONF-ssh
Chiteshi chakavhurirwa Network Configuration Protocol (NETCONF) pamusoro peSSH. NETCONF iprotocol inoshandiswa kugadzirisa otomatiki yeNFVIS uye yekugamuchira asynchronous chiitiko chiziviso kubva kuNFVIS.
161/UDP
SNMP
Nyore Network Management Protocol (SNMP). Inoshandiswa neNFVIS kutaurirana neyekure network-yekutarisa maapplication. Kuti uwane rumwe ruzivo ona, Nhanganyaya nezveSNMP
Chengetedzo Kufunga 12
Chengetedzo Kufunga
Dzora Kupinda Kune Akabvumidzwa Networks Kune Akatenderwa Masevhisi
Dzora Kupinda Kune Akabvumidzwa Networks Kune Akatenderwa Masevhisi
Vanyori vane mvumo chete ndivo vanofanirwa kubvumidzwa kuyedza kuwana manejimendi emudziyo, uye kuwana kunofanirwa kunge kuri kune masevhisi avanotenderwa kushandisa. NFVIS inogona kugadzirwa zvekuti kuwana kunongo bvumidzwa kune anozivikanwa, anovimbwa masosi uye inotarisirwa manejimendi traffic pro.files. Izvi zvinoderedza njodzi yekuwana zvisina mvumo uye kuratidzwa kune kumwe kurwiswa, senge brute force, duramazwi, kana kurwisa kweDoS.
Kuchengetedza iyo NFVIS manejimendi manejimendi kubva kune isina kufanira uye inogona kukuvadza traffic, mushandisi we admin anogona kugadzira Access Control Lists (ACLs) yetiweki traffic inotambirwa. Aya ma ACL anotsanangura kunobva IP kero/netiweki kunobva traffic, uye mhando yetraffic inotenderwa kana kurambwa kubva kunzvimbo idzi. Aya IP traffic mafirita anoiswa kune yega yega manejimendi interface paNFVIS. Aya anotevera ma paramita akagadziridzwa muIP gamuchira Access Control List (ip-receive-acl)
Parameter
Value
Tsanangudzo
Kunobva network/Netmask
Network/netmask. For example: 0.0.0.0/0
172.39.162.0/24
Iyi ndima inotsanangura IP address/network kunobva traffic
Basa Rekuita
https icmp netconf scpd snmp ssh bvuma kudonha kuramba
Mhando yetraffic kubva kune yakataurwa.
Chiito chinofanira kutorwa pane traffic kubva kune sosi network. Nekubvuma, kuedza kutsva kwekubatanidza kunopihwa. Nekuramba, kuedza kwekubatanidza hakugamuchirwe. Kana mutemo uri weTCP yakavakirwa sevhisi seHTTPS, NETCONF, SCP, SSH, sosi inowana TCP reset (RST) packet. Pamitemo isiri yeTCP yakadai seSNMP neICMP, pakiti ichadonhedzwa. Nekudonha, ese mapaketi anodonhedzwa pakarepo, hapana ruzivo rwakatumirwa kune sosi.
Chengetedzo Kufunga 13
Yakaropafadzwa Debug Access
Chengetedzo Kufunga
Parameter Kukosha
Value A manhamba kukosha
Tsanangudzo
Chinonyanya kukosha chinoshandiswa kusimbisa murairo pamitemo. Mitemo ine nhamba yepamusoro yakakosha inozowedzerwa pasi mucheni. Kana iwe uchida kuve nechokwadi chekuti mutemo uchawedzerwa mushure meumwe, shandisa nhamba yakaderera yekutanga uye yepamusoro nhamba yekutanga kune inotevera.
Inotevera sample magadzirirwo anoratidza mamwe mamiriro anogona kuchinjika kune chaiwo mashandisiro-kesi.
Kugadzirisa IP Gamuchira ACL
Kunyanya kuomesera ACL, kunowedzera kuganhurirwa kuratidzwa kune vasina mvumo yekuedza kuwana. Nekudaro, iyo ACL inodzvinyirira inogona kugadzira manejimendi pamusoro, uye inogona kukanganisa kuwanikwa kwekuita kugadzirisa matambudziko. Somugumisiro, pane kuenzana kunofanira kufungwa nezvazvo. Imwe kukanganisa ndeye kurambidza kupinda mukati mekambani IP kero chete. Mumwe nomumwe mutengi anofanira kuongorora kushandiswa kwe ACLs maererano nemutemo wavo wekuchengetedza, njodzi, kuratidzwa, uye kugamuchirwa kwayo.
Ramba ssh traffic kubva kune subnet:
nfvis(config)# system settings ip-receive-acl 171.70.63.0/24 sevhisi ssh chiito kuramba kukosha 1
Kubvisa ACLs:
Kana yekupinda yadzimwa kubva ip-receive-acl, zvese zvigadziriso kune iyo sosi zvinodzimwa sezvo sosi IP kero ndiyo kiyi. Kudzima sevhisi imwe chete, gadzirisa mamwe masevhisi zvakare.
nfvis(config)# hapana masisitimu ehurongwa ip-kugamuchira-acl 171.70.63.0/24
Kuti uwane rumwe ruzivo ona, Kugadzira iyo IP Gamuchira ACL
Yakaropafadzwa Debug Access
Iyo yepamusoro-mushandisi account paNFVIS yakavharwa nekusagadzika, kudzivirira zvese zvisingabvumirwe, zvingangove zvakashata, shanduko-yakafara system uye NFVIS haifumure system shell kumushandisi.
Nekudaro, kune dzimwe dzakaoma kugadzirisa nyaya paNFVIS system, iyo Cisco Technical Assistance Center timu (TAC) kana timu yekusimudzira ingangoda kuwana shell kune NFVIS yemutengi. NFVIS ine yakachengeteka yekuvhura masisitimu kuti ive nechokwadi chekuti yakasarudzika debug kuwana kune mudziyo uri mumunda unongotenderwa kune vane mvumo vashandi veCisco. Kuti uwane zvakachengetedzeka iyo Linux shell yerudzi urwu rwekupindirana debugging, dambudziko-mhinduro yekusimbisa nzira inoshandiswa pakati peNFVIS uye Interactive debugging server inochengetwa neCisco. Password yemushandisi we admin inodiwawo kuwedzera kune dambudziko-mhinduro yekupinda kuti ive nechokwadi chekuti mudziyo unowanikwa nemvumo yemutengi.
Matanho ekuwana iyo shell yeInteractive Debugging:
1. An admin user anotanga maitiro aya achishandisa iyi yakavanzika murairo.
nfvis# system shell-access
Chengetedzo Kufunga 14
Chengetedzo Kufunga
Secure Interfaces
2. Chidzitiro chicharatidza tambo yekunetsa, kune example:
Challenge Tambo (Ndokumbira ukope zvese zviri pakati pemitsara yeasterisk chete):
******************************************************************************** SPH//wkAAABORlZJU0VOQ1M1NDA4L0s5AQAAABt+dcx+hB0V06r9RkdMMjEzNTgw RlHq7BxeAAA= DONE. ********************************************************************************
3. Nhengo yeCisco inopinda Mutambo weChipingamupinyi pane Interactive Debug server inochengetwa neCisco. Sevha iyi inosimbisa kuti mushandisi weCisco anotenderwa kugadzirisa NFVIS achishandisa goko, yozodzosera tambo yekupindura.
4. Isa tambo yemhinduro pachiratidziro chiri pazasi ichi chekuchimbidza: Isa mhinduro yako kana wagadzirira:
5. Paunenge uchikurudzirwa, mutengi anofanira kuisa admin password. 6. Iwe unowana shell-access kana password iri kushanda. 7. Budiriro kana TAC timu inoshandisa goko kuenderera mberi nekugadzirisa. 8. Kubuda shell-access type Buda.
Secure Interfaces
NFVIS manejimendi yekuwana inotenderwa uchishandisa iyo interfaces inoratidzwa mudhayagiramu. Zvikamu zvinotevera zvinotsanangura kuchengetedzwa kwakanaka kweaya mainterfaces kuNFVIS.
Console SSH
Iyo console port ndeye asynchronous serial port iyo inokutendera kuti ubatanidze kune NFVIS CLI yekutanga kumisikidzwa. Mushandisi anogona kuwana iyo koni pamwe nekuwana kwemuviri kuNFVIS kana kure kure kuburikidza nekushandisa terminal server. Kana console port yekupinda ichidikanwa kuburikidza neiyo terminal sevha, gadzira rondedzero yekuwana pane iyo terminal sevha kuti ubvumire kupinda chete kubva kune inodiwa kwainobva kero.
Vashandisi vanogona kuwana iyo NFVIS CLI nekushandisa SSH senzira yakachengeteka yekupinda kure. Kuvimbika uye kuvanzika kweNFVIS manejimendi traffic kwakakosha kune chengetedzo yetiweki inotungamirwa sezvo mapuroteni ekutonga anowanzo takura ruzivo rwunogona kushandiswa kupinda kana kukanganisa network.
Chengetedzo Kufunga 15
CLI Session yapera
Chengetedzo Kufunga
NFVIS inoshandisa SSH vhezheni yechipiri, inova Cisco's uye Internet's de facto standard protocol yeanopindirana logins uye inotsigira yakasimba encryption, hashi, uye kiyi yekutsinhana algorithms inokurudzirwa neChengetedzo uye Trust Organisation mukati meCisco.
CLI Session yapera
Nekupinda mukati kuburikidza neSSH, mushandisi anotanga chikamu neNFVIS. Nepo mushandisi akapinzwa mukati, kana mushandisi akasiya iyo-yakapinda-chikamu isina kutarisirwa, izvi zvinogona kuburitsa network kune njodzi yekuchengetedza. Chengetedzo yeSession inodzika njodzi yekurwiswa kwemukati, senge mushandisi mumwe kuyedza kushandisa chikamu chemumwe mushandisi.
Kudzikisa njodzi iyi, NFVIS inopedza nguva dzeCLI mushure memaminitsi gumi nemashanu ekusaita. Kana nguva yekupera kweseshini yasvika, mushandisi anoburitswa kunze.
NECONF
Iyo Network Configuration Protocol (NETCONF) iNetiweki Management protocol yakagadziridzwa uye yakamisikidzwa neIETF yekugadziridza otomatiki yetiweki zvishandiso.
Iyo NETCONF protocol inoshandisa iyo Extensible Markup Mutauro (XML) yakavakirwa data encoding yedata rekugadzirisa pamwe chete nemameseji eprotocol. Iwo mameseji eprotocol anotsinhaniswa pamusoro peiyo yakachengeteka yekufambisa protocol.
NETCONF inobvumira NFVIS kufumura XML-based API iyo network operator inogona kushandisa kuseta uye kuwana data yekumisikidza uye zviziviso zvechiitiko zvakachengeteka pamusoro peSSH.
Kuti uwane rumwe ruzivo ona, NETCONF Chiitiko Notisi.
REST API
NFVIS inogona kugadzirwa uchishandisa RESTful API pamusoro peHTTPS. Iyo REST API inobvumira masisitimu ekukumbira kuti awane uye ashandise iyo NFVIS kumisikidzwa nekushandisa yunifomu uye yakafanotsanangurwa seti yezvisingaverengeki mashandiro. Ruzivo rwezvese REST APIs runogona kuwanikwa muNFVIS API Reference gwara.
Kana mushandisi aburitsa REST API, chikamu chinotangwa neNFVIS. Kuitira kudzikisira njodzi dzine chekuita nekuramba kurwiswa kwesevhisi, NFVIS inodzika nhamba yese yezvikamu zveREST zvakafanana kusvika ku100.
NFVIS Web Portal
Iyo NFVIS portal ndeye web-based Graphical User Interface inoratidza ruzivo nezveNFVIS. Iyo portal inopa mushandisi nzira iri nyore yekugadzirisa uye kutarisa NFVIS pamusoro peHTTPS pasina kuziva iyo NFVIS CLI uye API.
Session Management
Hunhu husina hunhu hweHTTP neHTTPS hunoda nzira yekutevera yakasarudzika vashandisi kuburikidza nekushandisa akasiyana echikamu maID uye makuki.
NFVIS inovharidzira chikamu chemushandisi. Iyo AES-256-CBC cipher inoshandiswa kuvharidzira zviri mukati mechikamu neHMAC-SHA-256 huchokwadi. tag. A random 128-bit Initialization Vector inogadzirwa kune yega yega encryption mashandiro.
Iyo Audit rekodhi inotangwa kana portal chikamu chagadzirwa. Ruzivo rwesesheni runodzimwa kana mushandisi abuda kana chikamu chapera.
Iyo yekusashanda isingaite nguva yekubuda kwema portal zvikamu maminetsi gumi nemashanu. Nekudaro, izvi zvinogona kugadziridzwa kuchikamu chazvino kune kukosha pakati pe15 uye 5 maminetsi pane Settings peji. Auto-lout ichatangwa mushure meizvi
Chengetedzo Kufunga 16
Chengetedzo Kufunga
HTTPS
HTTPS
period. Zvikamu zvakawanda hazvibvumidzwe mubrowser imwe chete. Huwandu hwehuwandu hwezvikamu zvenguva imwe chete hwakaiswa ku30. Iyo NFVIS portal inoshandisa makuki kubatanidza data nemushandisi. Inoshandisa zvinotevera cookie zvivakwa kuitira kuchengetedzwa kwakawedzerwa:
· ephemeral kuona kuti cookie yapera kana browser yakavharwa · httpChete kuita kuti cookie isasvike kubva kuJavaScript · secureProxy kuti cookie itumirwe chete neSSL.
Kunyangwe mushure mekuvimbiswa, kurwiswa kwakadai seCross-Site Chikumbiro Forgery (CSRF) kunogoneka. Muchiitiko ichi, mushandisi wekupedzisira anogona kuita zvisingadiwe zviito pane a web application yavakatenderwa mairi parizvino. Kuti udzivise izvi, NFVIS inoshandisa CSRF tokens kusimbisa yega REST API inokwidzwa panguva yega yega.
URL Redirection In common web maseva, kana peji isingawanikwe pa web server, mushandisi anowana 404 meseji; pamapeji aripo, vanowana peji rekupinda. Kuchengetedzeka kweizvi ndeyekuti munhu anorwisa anogona kuita brute force scan uye kuona zviri nyore kuti ndeapi mapeji nemaforodha aripo. Kudzivirira izvi paNFVIS, zvese zvisipo URLs prefixed ine mudziyo IP inotungamirwa kune peji rekupinda peji ine 301 mamiriro emhinduro kodhi. Izvi zvinoreva kuti zvisinei ne URL vakumbirwa neanorwisa, vanozogara vachiwana peji rekupinda kuti vazvisimbise ivo pachavo. Zvese zvikumbiro zvesevha zveHTTP zvinotungamirwa kuHTTPS uye zvine misoro inotevera yakagadziridzwa:
· X-Content-Type-Options · X-XSS-Protection · Content-Security-Policy · X-Frame-Options · Strict-Transport-Security · Cache-Control
Kudzima iyo Portal Iyo NFVIS portal yekupinda inogoneswa nekusarudzika. Kana usiri kuronga kushandisa iyo portal, zvinokurudzirwa kudzima portal kupinda uchishandisa uyu murairo:
Gadzirisa terminal Sisitimu portal yekupinda yakadzimwa kuita
Yese data yeHTTPS kuenda nekubva kuNFVIS inoshandisa Transport Layer Security (TLS) kutaurirana panetiweki. TLS ndiye anotsiva Secure Socket Layer (SSL).
Chengetedzo Kufunga 17
HTTPS
Chengetedzo Kufunga
Kubata maoko kweTLS kunosanganisira huchokwadi panguva iyo mutengi anosimbisa seti yeSSL yeseva nemvumo yechitupa yaiburitsa. Izvi zvinotsigira kuti sevha ndiyo yainoti ndiyo, uye kuti mutengi ari kutaurirana nemuridzi wedura. Nekutadza, NFVIS inoshandisa chitupa chega-chakasaina kuratidza kuzivikanwa kwayo kune vatengi vayo. Ichi chitupa chine 2048-bit yeruzhinji kiyi yekuwedzera chengetedzo yeTLS encryption, sezvo iyo encryption simba inoenderana zvakananga nehukuru hwekiyi.
Certificate Management NFVIS inogadzira yega-yakasaina SSL chitupa pakatanga kuiswa. Idziviriro yakanakisa tsika kutsiva chitupa ichi nechitupa chakasainwa neanoteerera Certificate Authority (CA). Shandisa matanho anotevera kutsiva chitupa chakasaina chega: 1. Gadzira Chikumbiro Chekusaina Chitupa (CSR) paNFVIS.
Chikumbiro chekusaina Chitupa (CSR) ndeye file ine block yemavara encoded anopihwa kune Chiremera Setifiketi paunenge uchinyorera SSL Chitupa. Izvi file ine ruzivo runofanira kuverengerwa muchitupa senge zita resangano, zita rakajairika (zita rezita), nzvimbo, uye nyika. The file zvakare ine kiyi yeruzhinji inofanirwa kuverengerwa muchitupa. NFVIS inoshandisa 2048-bit yeruzhinji kiyi sezvo encryption simba iri pamusoro nepamusoro kiyi saizi. Kugadzira CSR paNFVIS, mhanya unotevera kuraira:
nfvis# system chitupa kusaina-chikumbiro [rakajairika-zita nyika-code nzvimbo sangano sangano-yuniti-zita nyika] Iyo CSR file inochengetwa se /data/intdatastore/download/nfvis.csr. . 2. Tora chitupa cheSSL kubva kuCA uchishandisa CSR. Kubva kune wekunze anotambira, shandisa iyo scp kuraira kudhawunirodha Chikumbiro Chekusaina Chitupa.
[myhost:/tmp] > scp -P 22222 admin@ :/data/intdatastore/download/nfvis.csrfile-zita>
Bata nechiremera cheSitifiketi kuti uburitse chitupa chitsva cheSSL server uchishandisa iyi CSR. 3. Isa iyo CA Saina Chitupa.
Kubva kune yekunze server, shandisa iyo scp command kurodha chitupa file muNFVIS kune data/intdatastore/uploads/ directory.
[myhost:/tmp] > scp -P 22222 file> admin@ :/data/intdatastore/uploads
Isa chitupa muNFVIS uchishandisa murairo unotevera.
nfvis# system chitupa chekuisa-cert nzira file:///data/intdatastore/uploads/<certificate file>
4. Chinja kushandisa Chitupa chakasaina CA. Shandisa murairo unotevera kuti utange kushandisa CA yakasainwa chitupa pachinzvimbo chechitupa chakasaina wega.
Chengetedzo Kufunga 18
Chengetedzo Kufunga
SNMP Access
nfvis(config)# system chitupa shandisa-cert cert-mhando ca-yakasaina
SNMP Access
Nyore Network Management Protocol (SNMP) ndeyeInternet Standard protocol yekuunganidza uye kuronga ruzivo nezve inochengetedzwa zvishandiso paIP network, uye nekugadzirisa iyo ruzivo kuti ichinje maitiro emudziyo.
Matatu akakosha mavhezheni eSNMP akagadzirwa. NFVIS inotsigira SNMP vhezheni 1, vhezheni 2c uye vhezheni 3. SNMP shanduro 1 uye 2 dzinoshandisa tambo dzenharaunda kuti dzive dzechokwadi, uye idzi dzinotumirwa zviri pachena. Saka, inzira yekuchengetedza yakanakisa kushandisa SNMP v3 pachinzvimbo.
SNMPv3 inopa yakachengeteka kuwana kumidziyo nekushandisa zvinhu zvitatu: - vashandisi, huchokwadi, uye encryption. SNMPv3 inoshandisa iyo USM (User-based Security Module) yekudzora kuwana kune ruzivo rwunowanikwa kuburikidza neSNMP. Iyo SNMP v3 mushandisi inogadziriswa nerudzi rwechokwadi, rudzi rwekuvanzika pamwe nezwi rekupfuura. Vese vashandisi vanogovana boka vanoshandisa iyo yakafanana SNMP vhezheni, zvisinei, iyo chaiyo yekuchengetedza mwero marongero (password, encryption type, nezvimwewo) inotsanangurwa pa-mushandisi.
Tafura inotevera inopfupisa sarudzo dzekuchengetedza mukati meSNMP
Model
Level
Authentication
Encyption
Mugumisiro
v1
noAuthNoPriv
Community String Nha
Inoshandisa nharaunda
tambo match ye
authentication.
v2c
noAuthNoPriv
Community String Nha
Inoshandisa tambo yematambo yenharaunda kuratidza chokwadi.
v3
noAuthNoPriv
Username
Aihwa
Inoshandisa zita rekushandisa
match for
authentication.
v3
authNoPriv
Message Digest 5 Nha
Inopa
(MD5)
authentication based
or
pane HMAC-MD5-96 kana
Chengetedza Hash
HMAC-SHA-96
Algorithm (SHA)
algorithms.
Chengetedzo Kufunga 19
Legal Notification Banners
Chengetedzo Kufunga
Muenzaniso v3
Level authPriv
Authentication MD5 kana SHA
Encyption
Mugumisiro
Data Encryption Inopa
Standard (DES) kana kuvimbiswa kwakavakirwa
Advanced
pa
Encryption Standard HMAC-MD5-96 kana
(AES)
HMAC-SHA-96
algorithms.
Inopa DES Cipher algorithm muCipher Block Chaining Mode (CBC-DES)
or
AES encryption algorithm inoshandiswa muCipher FeedBack Mode (CFB), ine 128-bit kiyi saizi (CFB128-AES-128)
Kubva payakatorwa neNIST, AES yave yakanyanya encryption algorithm muindasitiri yese. Kutevera kutama kweindasitiri kubva kuMD5 uye kuenda kuSHA, inzira yekuchengetedza yakanakisa kugadzirisa SNMP v3 yekusimbisa protocol seSHA uye zvakavanzika protocol seAES.
Kuti uwane rumwe ruzivo nezveSNMP ona, Nhanganyaya nezveSNMP
Legal Notification Banners
Zvinokurudzirwa kuti chiziviso chemutemo chivepo pazvikamu zvese zvekudyidzana kuona kuti vashandisi vaziviswa nezvegwaro rekuchengetedza riri kuteedzerwa uye nekwavari pasi. Mune dzimwe nzvimbo, kupomera mhosva kwemunhu anenge atyora hurongwa kuri nyore, kana kutodiwa, kana chiziviso chemutemo chikaiswa, kuzivisa vashandisi vasina mvumo kuti kushandisa kwavo hakuna kubvumidzwa. Mune dzimwe nzvimbo, zvinogona zvakare kurambidzwa kutarisa basa remushandisi asina mvumo kunze kwekunge vaziviswa nezvechinangwa chekudaro.
Zvinodiwa zvekuzivisa zvemutemo zvakaoma uye zvinosiyana munzvimbo imwe neimwe uye mamiriro. Kunyange mukati menzvimbo, maonero emutemo anosiyana. Kurukura nyaya iyi nevako vezvemitemo kuti uve nechokwadi chekuti chiziviso chinosangana nezvinodiwa nekambani, zvemuno, nezvepasi rose. Izvi zvinonyanya kukosha pakuchengetedza chiito chakakodzera kana paine kukanganisa kwekuchengetedza. Mukubatana nekambani yezvemitemo yekambani, zvirevo zvinogona kuverengerwa mubhena rekuzivisa zviri pamutemo zvinosanganisira:
· Chiziviso chekuti sisitimu kuwana uye kushandisa inobvumidzwa chete nevashandi vane mvumo, uye pamwe ruzivo rwekuti ndiani angabvumidza kushandiswa.
· Chiziviso chekuti kupinda nekushandiswa zvisina mvumo kwehurongwa uhwu hazvisi pamutemo, uye zvinogona kupihwa zvirango zvehurumende uye/kana mhosva.
· Chiziviso chekuti kuwana uye kushandiswa kwehurongwa kunogona kuiswa kana kuongororwa pasina imwe chiziviso, uye mhedzisiro yacho inogona kushandiswa seumboo mudare.
· Zvimwewo zviziviso zvinodiwa nemitemo yemuno.
Chengetedzo Kufunga 20
Chengetedzo Kufunga
Factory Default Reset
Kubva pane chengetedzo pane nzvimbo yepamutemo ye view, chiziviso chepamutemo hachifanirwe kunge chine chero ruzivo nezve mudziyo, senge zita racho, modhi, software, nzvimbo, mushandisi kana muridzi nekuti ruzivo urwu runogona kubatsira kune anorwisa.
Zvinotevera ndizvoample legal notification banner iyo inogona kuratidzwa usati wapinda:
KUSVIKA USINA MAZANO MUCHINHU UCHI AKARAMBIKWA Unofanira kuva nemvumo iri pachena, ine mvumo yekuwana kana kugadzirisa mudziyo uyu. Kuedza kusatenderwa uye zviito zvekuwana kana kushandisa
hurongwa uhu hunogona kukonzera chirango chehurumende uye/kana mhosva. Mabasa ese anoitwa pamudziyo uyu anonyorwa uye anotariswa
Note Ipa chiziviso chepamutemo chakatenderwa nekambani yezvemutemo.
NFVIS inobvumira kumisikidzwa kwebhena uye Mharidzo yeZuva (MOTD). Banner inoratidzwa mushandisi asati apinda. Kana mushandisi angopinda muNFVIS, a system-defined banner inopa Copyright ruzivo nezveNFVIS, uye meseji-ye-zuva (MOTD), kana yakagadziriswa, ichaonekwa, ichiteverwa mutsara wekuraira kukurumidza kana portal view, zvichienderana nenzira yekupinda.
Zvinokurudzirwa kuti bhena rekupinda riitwe kuti ive nechokwadi chekuti chiziviso chepamutemo chinoratidzwa pane ese madhizaini manejimendi ekupinda masesesheni isati yaburitswa. Shandisa murairo uyu kugadzirisa banner uye MOTD.
nfvis(config)# banner-motd banner motd
Kuti uwane rumwe ruzivo nezve mureza wekuraira, ona Gadzirisa Banner, Mharidzo yezuva uye System Nguva.
Factory Default Reset
Factory Reset inobvisa yese yevatengi data data iyo yakawedzerwa kune mudziyo kubva panguva yekutumira kwayo. Iyo data yakadzimwa inosanganisira zvigadziriso, log files, VM mifananidzo, ruzivo rwekubatanidza, uye magwaro ekupinda mushandisi.
Inopa murairo mumwechete wekugadzirisa zvakare mudziyo kune fekitori-yekutanga marongero, uye inobatsira mune anotevera mamiriro:
· Dzosera Material Authorization (RMA) yechishandiso-Kana uchifanira kudzosera mudziyo kuCisco yeRMA, shandisa Factory Default reset kubvisa ese akanangana nemutengi data.
· Kudzoreredza mudziyo wakakanganisika- Kana iyo kiyi yezvinhu kana zvitupa zvakachengetwa pamudziyo zvakakanganiswa, gadzirisa chishandiso kugadziriso yefekitori uye wozogadzirisa zvakare mudziyo.
· Kana iyo imwe mudziyo ichida kushandiswa zvakare pane imwe saiti ine gadziriso nyowani, ita Factory Default reset kuti ubvise gadziriso iripo uye uuye nayo kune yakachena.
NFVIS inopa zvinotevera sarudzo mukati meFactory default reset:
Factory Reset Option
Data Dzadzimwa
Data Retained
zvose
Kugadziriswa kwese, kurodha mufananidzo Iyo admin account inochengetwa uye
files, VMs uye matanda.
password ichachinjwa kuti
Kubatana kune mudziyo kuchava fekitori default password.
kurasika.
Chengetedzo Kufunga 21
Infrastructure Management Network
Chengetedzo Kufunga
Fekitari Reset Sarudzo zvese-kunze-mifananidzo
zvose-kunze-mifananidzo-kubatana
kugadzira
Data Dzadzimwa
Data Retained
Zvese zvigadziriso kunze kwechifananidzo Chimiro chekugadzirisa, chakanyoreswa
kumisikidzwa, maVM, uye akarodha mifananidzo uye matanda
mufananidzo files.
Iyo admin account inochengetwa uye
Kubatana kune mudziyo kuchava iyo password ichachinjirwa kune iyo
kurasika.
factory default password.
Zvese zvigadziriso kunze kwemufananidzo, Mifananidzo, network uye kubatana
network uye kubatana
zvinoenderana nekugadziriswa, kunyoreswa
gadziriso, VMs, uye yakarodha mifananidzo, uye matanda.
mufananidzo files.
Iyo admin account inochengetwa uye
Kubatana kune mudziyo ndiko
iyo yakambogadziriswa admin
iripo.
password ichachengetwa.
Zvese zvigadziriso kunze kwekumisikidzwa kwemufananidzo, VMs, mufananidzo wakaiswa files, uye matanda.
Kubatana kumudziyo kucharasika.
Mifananidzo ine chekuita nekugadzirisa uye mifananidzo yakanyoreswa
Iyo admin account inochengetwa uye password ichashandurwa kuita fekitori default password.
Mushandisi anofanira kusarudza yakakodzera sarudzo nekuchenjerera zvichienderana nechinangwa cheFactory Default reset. Kuti uwane rumwe ruzivo, ona Resetting kuFactory Default.
Infrastructure Management Network
Iyo network manejimendi manejimendi inoreva network inotakura kutonga uye manejimendi endege traffic (yakadai seNTP, SSH, SNMP, syslog, nezvimwewo) yemidziyo yezvivakwa. Kupinda kwemudziyo kunogona kuve kuburikidza nekoni, pamwe neiyo Ethernet interfaces. Uku kutonga uye kutonga kwendege traffic kwakakosha kune network mashandiro, ichipa kuoneka mukati uye kutonga pamusoro petiweki. Nekuda kweizvozvo, yakanyatsogadzirwa uye yakachengeteka manejimendi manejimendi manejimendi yakakosha kune yakazara chengetedzo uye mashandiro etiweki. Imwe yeakakosha kurudziro kune yakachengeteka manejimendi manejimendi manejimendi kupatsanurwa kwe manejimendi uye data traffic kuitira kuti ive nechokwadi chekutonga kure kunyangwe pasi pemutoro wakanyanya uye yakakwirira traffic mamiriro. Izvi zvinogona kuwanikwa uchishandisa yakazvitsaurira manejimendi interface.
Aya anotevera ndiwo maInfrastructure manejimendi network kuita nzira:
Kunze-kwe-bhendi Management
Iyo Out-of-band Management (OOB) manejimendi manejimendi ine inetiweki yakazvimiririra zvachose uye inosiyana mumuviri kubva kune data network iyo inobatsira kubata. Izvi zvakare dzimwe nguva zvinodaidzwa kunzi Data Communications Network (DCN). Midziyo yetiweki inogona kubatana kune network yeOOB nenzira dzakasiyana: NFVIS inotsigira yakavakirwa-mukati manejimendi interface inogona kushandiswa kubatanidza kune OOB network. NFVIS inobvumira kugadziridzwa kweyakafanotsanangurwa yemuviri interface, iyo MGMT chiteshi paENCS, seyakazvitsaurira manejimendi interface. Kurambidza manejimendi emapaketi kune akasarudzika mainterface kunopa hukuru hukuru pamusoro pekutonga kwechishandiso, nokudaro zvichipa kumwe kuchengetedzeka kwechishandiso ichocho. Mamwe mabhenefiti anosanganisira kuvandudzwa kwekuita kwemapaketi edata pane asiri manejimendi nzvimbo, rutsigiro rwetiweki scalability,
Chengetedzo Kufunga 22
Chengetedzo Kufunga
Pseudo kunze-kwe-bhendi Management
kudiwa kwemazita mashoma ekutonga (ACLs) kurambidza kupinda kune mudziyo, uye kudzivirira mafashama epakeji epaketi kuti asasvike kuCPU. Network zvishandiso zvinogona zvakare kubatana kune iyo OOB network kuburikidza neakazvitsaurira data interfaces. Muchiitiko ichi, ma ACLs anofanirwa kuiswa kuti ave nechokwadi chekuti manejimendi traffic inobatwa chete neakazvitsaurira nzvimbo. Kuti uwane rumwe ruzivo, ona Kugadzira iyo IP Gamuchira ACL uye Port 22222 uye Management Interface ACL.
Pseudo kunze-kwe-bhendi Management
A pseudo out-of-band management network inoshandisa zvivakwa zvemuviri zvakafanana sedata network asi inopa kupatsanurwa kunonzwisisika kuburikidza nekuparadzaniswa kwechokwadi kwetraffic, nekushandisa maVLAN. NFVIS inotsigira kugadzira maVLAN uye mabhiriji chaiwo kubatsira kuona kwakasiyana masosi etraffic uye kupatsanura traffic pakati peVMs. Kuve nemabhiriji akaparadzana uye maVLAN anotsaura iyo chaiyo muchina network network data traffic uye manejimendi network, nekudaro ichipa traffic segmentation pakati peVM neanotambira. Kuti uwane rumwe ruzivo ona Kugadzira VLAN yeNFVIS Management Traffic.
In-bhendi Management
Iyo in-band manejimendi network inoshandisa nzira dzakafanana dzemuviri uye dzine musoro se data traffic. Pakupedzisira, dhizaini iyi yetiweki inoda kuongororwa kwemutengi wega wega njodzi maringe nemabhenefiti nemitengo. Zvimwe zvakajairika zvinosanganisira:
· Iyo yakasarudzika yeOOB manejimendi network inowedzera kuoneka uye kutonga panetiweki kunyangwe panguva yekukanganisa zviitiko.
Kutumira network telemetry pamusoro peOOB network kunoderedza mukana wekuvhiringika kweruzivo rwunopa kuoneka kwenetiweki kwakakosha.
· In-bhendi manejimendi yekuwana kunetiweki zvivakwa, mauto, nezvimwe zviri panjodzi yekurasikirwa zvachose muchiitiko chechiitiko chetiweki, kubvisa kuoneka kwese netiweki. Kudzora kwakakodzera kweQoS kunofanirwa kuiswa munzvimbo kuti kuderedze chiitiko ichi.
· NFVIS inoratidzira nzvimbo dzakatsaurirwa kune manejimendi emuchina, kusanganisira serial console ports uye Ethernet manejimendi ekunze.
· Iyo OOB manejimendi network inogona kuisirwa nemutengo unonzwisisika, sezvo manejimendi network traffic isingawanzo kuda yakakwira bandwidth kana yakakwira dhizaini, uye inongoda kukwana kwechiteshi kutsigira kubatana kune yega yega mudziyo.
Dziviriro Yemashoko Akachengetwa Munzvimbo
Kudzivirira Sensitive Information
NFVIS inochengetedza ruzivo rwakadzama munharaunda, kusanganisira mapassword uye zvakavanzika. Mapassword anofanirwa kuchengetedzwa uye kudzorwa nepakati AAA server. Zvakadaro, kunyangwe sevha yepakati yeAAA ikaiswa, mamwe mapassword akachengetedzwa munharaunda anodiwa kune dzimwe nyaya dzakadai sekudzoka kwepanzvimbo kana maAAA maseva asiri kuwanikwa, mazita ekushandisa akasarudzika, nezvimwewo
Chengetedzo Kufunga 23
File Transfer
Chengetedzo Kufunga
ruzivo rwakachengetwa paNFVIS semahashi kuitira kuti zvisaite kudzoreredza magwaro ekutanga kubva kuhurongwa. Hashing inogamuchirwa nevakawanda indasitiri yakajairika.
File Transfer
Files iyo ingangoda kuendeswa kune NFVIS zvishandiso zvinosanganisira VM mufananidzo uye NFVIS kusimudzira files. Kuendeswa kwakachengeteka kwe files yakakosha kune network network kuchengetedza. NFVIS inotsigira Secure Copy (SCP) kuve nechokwadi chekuchengetedzwa kwe file transfer. SCP inovimba neSSH yechokwadi yakachengeteka uye yekufambisa, ichigonesa yakachengeteka uye yakatendeseka kukopa kwe. files.
Ikopi yakachengeteka kubva kuNFVIS inotangwa kuburikidza ne scp command. Iyo yakachengeteka kopi (scp) yekuraira inobvumira chete mushandisi weadmin kukopa zvakachengeteka files kubva kuNFVIS kuenda kune yekunze system, kana kubva kune yekunze system kuenda kuNFVIS.
Iyo syntax yemirairo yescp ndeyekuti:
scp
Isu tinoshandisa port 22222 yeNFVIS SCP server. Nekumisikidza, chiteshi ichi chakavharwa uye vashandisi havagone kuchengetedza kopi files kupinda muNFVIS kubva kumutengi wekunze. Kana paine kudikanwa kweSCP a file kubva kumutengi wekunze, mushandisi anogona kuvhura chiteshi achishandisa:
system marongero ip-receive-acl (kero)/(mask lenth) sevhisi scpd yakakosha (nhamba) chiito chinogamuchirwa
commit
Kuti udzivise vashandisi kuwana madhairekitori ehurongwa, kopi yakachengeteka inogona kuitwa chete kune kana kubva intdatastore:, extdatastore1:, extdatastore2:, usb: uye nfs:, kana iripo. Kopi yakachengeteka inogonawo kuitwa kubva kumatanda: uye techsupport:
Kutema miti
NFVIS access and configuration changes inorogwa semaAudit logs kuti inyore mashoko anotevera: · Ndiani apinda mudziyo · Mushandisi akapinda riini · Mushandisi akaitei maererano nekugadzirisa host uye VM lifecycle · Kudzima · Kutadza kuwana zvikumbiro · Zvakundikana zvikumbiro
Ruzivo urwu rwakakosha pakuwongorora kana kuyedza kusingatenderwe kana kuwana, pamwe nenyaya dzekuchinja kwekugadzirisa uye kubatsira kuronga shanduko yehutungamiriri hweboka. Inogona zvakare kushandiswa nguva chaiyo kuona zviitiko zvisingaite izvo zvinogona kuratidza kuti kurwiswa kuri kuitika. Ongororo iyi inogona kuwiriraniswa neruzivo kubva kune mamwe ekunze masosi, senge IDS uye firewall logs.
Chengetedzo Kufunga 24
Chengetedzo Kufunga
Virtual Machine kuchengetedza
Zvese zviitiko zvakakosha paNFVIS zvinotumirwa sezviziviso zvechiitiko kune NETCONF vanyoreri uye se syslogs kune yakagadziriswa yepakati matanda maseva. Kuti uwane rumwe ruzivo nezve syslog mameseji uye zviziviso zvezviitiko, ona Appendikisi.
Virtual Machine kuchengetedza
Ichi chikamu chinotsanangura maficha ane chekuita nekunyoresa, kutumira uye kushanda kweVirtual Machines paNFVIS.
VNF yakachengeteka boot
NFVIS inotsigira Vhura Virtual Machine Firmware (OVMF) kugonesa UEFI yakachengeteka bhutsu yeVirtual Machines inotsigira yakachengeteka boot. VNF Chengetedza bhutsu inoongorora kuti yega yega yeVM boot software yakasainwa, kusanganisira iyo bootloader, iyo inoshanda sisitimu kernel, uye inoshanda madhiraivha.
Kuti uwane rumwe ruzivo ona, Chengetedza Boot yeVNFs.
VNC Console Kuwana Dziviriro
NFVIS inobvumira mushandisi kugadzira sevhisi yeVirtual Network Computing (VNC) kuti iwane yakatumirwa VM's kure desktop. Kugonesa izvi, NFVIS inovhura chiteshi icho mushandisi anogona kubatanidza achishandisa yavo web browser. Chiteshi ichi chinongosiiwa chakavhurika kwemakumi matanhatu masekonzi kuti sevha yekunze itange chikamu kuVM. Kana pasina chiitiko chinoonekwa mukati menguva ino, chiteshi chakavharwa. Iyo nhamba yechiteshi inopihwa zvine simba uye nekudaro inobvumira chete-imwe-nguva yekuwana kuVNC koni.
nfvis# vncconsole tanga kutumirwa-zita 1510614035 vm-zita ROUTER vncconsole-url :6005/vnc_auto.html
Kunongedzera browser yako ku https:// :6005/vnc_auto.html ichabatana neROUTER VM's VNC console.
Chengetedzo Kufunga 25
Encrypted VM config data variables
Chengetedzo Kufunga
Encrypted VM config data variables
Munguva yekuendesa VM, mushandisi anopa zuva-0 kumisikidzwa file zve VM. Izvi file inogona kuve neruzivo rwakadzama senge mapassword nemakiyi. Kana ruzivo urwu rikapfuudzwa semavara akajeka, rinoonekwa mulog files uye rekodhi rekodhi remukati mune mavara akajeka. Iyi ficha inobvumira mushandisi kumureza dhizaini yedhisheni seyakajeka kuitira kuti kukosha kwayo kuvharwe uchishandisa AES-CFB-128 encryption isati yachengetwa kana kupfuudzwa kune emukati subsystems.
Kuti uwane rumwe ruzivo ona, VM Deployment Parameters.
Checksum verification yeRemote Image Registration
Kunyoresa mufananidzo weVNF uri kure, mushandisi anotsanangura nzvimbo yayo. Mufananidzo wacho uchada kutorwa kubva kune yekunze sosi, senge NFS server kana iri kure HTTPS server.
Kuti uzive kana yakarodha file yakachengeteka kuisa, zvakakosha kuenzanisa iyo file's checksum usati waishandisa. Kuongorora cheki kunobatsira kuve nechokwadi chekuti file haina kushatiswa panguva yekufambiswa kwenetiweki, kana kugadziridzwa nemunhu ane hutsinye usati waidhaunirodha.
NFVIS inotsigira cheki uye chekisum_algorithm sarudzo kuti mushandisi ape inotarisirwa cheki uye cheki algorithm (SHA256 kana SHA512) kuti ishandiswe kuona cheki yemufananidzo wakadhawunirodwa. Kugadzira mufananidzo kunotadza kana cheki isingaenderane.
Certification Validation yeRemote Image Registration
Kunyoresa mufananidzo weVNF uri pane sevha yeHTTPS, mufananidzo wacho uchada kutorwa kubva kune iri kure HTTPS server. Kuti utore mufananidzo uyu zvakachengeteka, NFVIS inosimbisa chitupa cheSSL cheseva. Mushandisi anofanira kutsanangura chero nzira yekuenda kuchitupa file kana PEM fomati setifiketi zvirimo kuti ugone kudhawunirodha zvakachengeteka.
Rumwe ruzivo runogona kuwanikwa paChikamu pane kusimbiswa kwechitupa chekunyoresa mufananidzo
VM Isolation uye Resource kupa
Iyo Network Function Virtualization (NFV) architecture ine:
· Virtualized network mabasa (VNFs), ari Virtual Machines arikumhanyisa software application inoburitsa network kushanda senge router, firewall, load balancer, zvichingodaro.
· Netiweki inoshanda virtualization zvivakwa, izvo zvinosanganisira zvivakwa-compute, ndangariro, chengetedzo, uye networking, papuratifomu inotsigira inodiwa software uye hypervisor.
NeNFV, mabasa etiweki anooneswa kuitira kuti mabasa akawanda agone kuitwa pane imwe sevha. Nekuda kweizvozvo, zvishoma zvigadzirwa zvemuviri zvinodiwa, zvichibvumira kubatanidzwa kwezviwanikwa. Munharaunda ino, zvakakosha kutevedzera zvakatsaurirwa zviwanikwa zveVNF dzakawanda kubva kune imwechete, yemuviri hardware system. Tichishandisa NFVIS, maVM anogona kuiswa nenzira inodzorwa zvekuti VM yega yega igamuchire zviwanikwa zvainoda. Zviwanikwa zvinogovaniswa sezvinodiwa kubva kunharaunda yepanyama kuenda kune akawanda chaiwo nharaunda. Iwo ega ega maVM madomasi akaparadzaniswa saka akaparadzana, akasiyana, uye akachengeteka nharaunda, izvo zvisiri kukwikwidzana kune zvakagovaniswa zviwanikwa.
MaVM haakwanise kushandisa zviwanikwa zvakawanda pane zvakapihwa. Izvi zvinodzivirira Denial yeSevhisi mamiriro kubva kune imwe VM ichidya zviwanikwa. Nekuda kweizvozvo, CPU, ndangariro, network uye kuchengetedza zvinodzivirirwa.
Chengetedzo Kufunga 26
Chengetedzo Kufunga
CPU Isolation
CPU Isolation
Iyo NFVIS sisitimu inochengetera macores eiyo software yezvivakwa inoshanda pane iyo host. Mamwe ese macores aripo kuti VM iendeswe. Izvi zvinovimbisa kuti kuita kweVM hakukanganise NFVIS host performance. Yakaderera-latency VMs NFVIS inopa zvakajeka macores akatsaurirwa kune yakaderera latency VMs akaiswa pairi. Kana iyo VM ichida 2 vCPUs, inopihwa maviri akazvitsaurira cores. Izvi zvinodzivirira kugovana uye kuwedzeredza kunyoreswa kwemacores uye kunovimbisa kuita kweiyo yakaderera-latency VMs. Kana huwandu hwemacores huripo huri pasi pehuwandu hwevCPUs yakakumbirwa neimwe yakaderera-latency VM, kutumirwa kunodzivirirwa sezvo isu tisina zviwanikwa zvakakwana. Isiri yakaderera-latency VMs NFVIS inopa anogona kugoverwa maCPU kune asiri akaderera latency VMs. Kana iyo VM ichida 2 vCPUs, inopihwa 2 CPUs. Aya maviri maCPU anogovaniswa pakati pemamwe asiri pasi latency VMs. Kana huwandu hweCPUs huripo huri pasi pehuwandu hwevCPUs yakakumbirwa neimwe isiri yakaderera-latency VM, kuendesa kuchiri kubvumidzwa nekuti iyi VM ichagovera iyo CPU nearipo asiri akaderera latency VM.
Memory Allocation
Iyo NFVIS Infrastructure inoda imwe chiyero chendangariro. Kana VM yaiswa, pane cheki yekuona kuti ndangariro iripo mushure mekuchengetedza ndangariro inodiwa kune zvivakwa uye yakamboiswa maVM, inokwana kune iyo VM nyowani. Isu hatibvumire ndangariro oversubscription yeVMs.
Chengetedzo Kufunga 27
Storage Isolation
VMs haatenderwe kuwana zvakananga iyo host file system uye kuchengetedza.
Storage Isolation
Chengetedzo Kufunga
Iyo ENCS chikuva inotsigira yemukati datastore (M2 SSD) uye ekunze dhisiki. NFVIS yakaiswa pane yemukati datastore. VNFs inogona zvakare kuiswa pane ino yemukati dhatatori. Iyo inzira yekuchengetedza yakanakisa kuchengetedza data revatengi uye kuendesa mutengi application Virtual Machines pane ekunze disks. Kuve nemadhisiki akaparadzana eiyo system files vs kushandisa files inobatsira kuchengetedza data system kubva kuhuori uye nyaya dzekuchengetedza.
·
Interface Isolation
Single Root I/O Virtualization kana SR-IOV chirevo chinobvumira kuparadzaniswa kwePCI Express (PCIe) zviwanikwa zvakaita seEthernet port. Uchishandisa SR-IOV imwe Ethernet port inogona kuitwa kuti iite seyakawanda, yakaparadzana, michina yemuviri inozivikanwa seVirtual Functions. Yese yemidziyo yeVF pane iyo adapta inogovera yakafanana yemuviri network port. Muenzi anogona kushandisa imwe kana yakawanda yeaya Virtual Mabasa. A Virtual Function inoratidzika kune muenzi setiweki kadhi, nenzira imwechete seyakajairika network kadhi yaizoonekwa kune inoshanda sisitimu. Virtual Mabasa ane pedo-yekuzvarwa mashandiro uye anopa kuita kurinani pane para-virtualized driver uye emulated kuwana. Virtual Mabasa anopa kuchengetedzwa kwedata pakati pevaenzi pane imwechete sevha yemuviri sezvo iyo data inotungamirwa uye inodzorwa nehardware. NFVIS VNFs inogona kushandisa SR-IOV network kubatanidza kune WAN uye LAN Backplane ports.
Chengetedzo Kufunga 28
Chengetedzo Kufunga
Secure Development Lifecycle
Imwe neimwe yakadaro VM ine chaiyo interface uye zviwanikwa zvayo zvine hukama kuwana kuchengetedzwa kwedata pakati peVM.
Secure Development Lifecycle
NFVIS inotevera Secure Development Lifecycle (SDL) yesoftware. Iyi inodzokororwa, inoyerwa maitiro akagadzirirwa kuderedza kusasimba uye kuwedzera kuchengetedzeka uye kusimba kweCisco mhinduro. Cisco SDL inoshandisa indasitiri inotungamira maitiro uye tekinoroji kuvaka mhinduro dzakavimbika dzine mashoma emunda-akawanikwa ekuchengetedza zvigadzirwa zviitiko. Yese kuburitswa kweNFVIS kunofamba nenzira dzinotevera.
· Kutevera Cisco-yemukati uye misika-yakavakirwa Chigadzirwa Chekuchengetedza Zvinodiwa · Kunyoresa 3rd bato software ine yepakati repository kuCisco yekusagadzikana yekutevera · Nguva nenguva kupeta software ine inozivikanwa inogadziriswa maCVE. · Kugadzira software ine Chengetedzo mupfungwa · Kutevera yakachengeteka macoding maitiro sekushandisa vetted common security modules seCiscoSSL, inomhanya
Static Ongororo nekuita simbisiro yekupinda Yekudzivirira jekiseni rekuraira, nezvimwewo. · Kushandisa Maturusi Ekuchengetedza Maturusi akadai seIBM AppScan, Nessus, uye mamwe maturusi eCisco emukati.
Chengetedzo Kufunga 29
Secure Development Lifecycle
Chengetedzo Kufunga
Chengetedzo Kufunga 30
Zvinyorwa / Zvishandiso
 |
CISCO Enterprise Network Function Virtualization Infrastructure Software [pdf] Bhuku reMushandisi Enterprise Network Function Virtualization Infrastructure Software, Enterprise, Network Function Virtualization Infrastructure Software, Virtualization Infrastructure Software, Infrastructure Software. |
