Azure Stack Hub 耐用網路部署Azure Stack Hub ruggedized network deployment

本主題涵蓋 TOR 交換器、IP 位址指派及其他網路部署工作的存取權限。This topic covers access permission to the TOR switches, IP address assignments and other networking deployment tasks.

規劃設定部署Plan configuration deployment

接下來的各節涵蓋許可權和 IP 位址指派。The next sections cover permissions and IP address assignments.

實體交換器存取控制清單Physical switch access control list

為了保護 Azure Stack 解決方案,我們已在 TOR 交換器上將 (Acl) 的存取控制清單實作為存取控制清單。To protect the Azure Stack solution, we have implemented access control lists (ACLs) on the TOR switches. 本節說明如何實行此安全性。This section describes how this security is implemented. 下表顯示 Azure Stack 解決方案內每個網路的來源和目的地:The table below shows the sources and destinations of every network inside the Azure Stack solution:

TOR 參數上的存取控制清單圖表A diagram of access control lists on the TOR switches

下表將 ACL 參考與 Azure Stack 網路相關聯。The table below correlates the ACL references with the Azure Stack networks.

BMC 管理BMC Mgmt 部署 VM、BMC 介面、HLH 伺服器 NTP 伺服器和 DNS 伺服器 Ip (根據通訊協定和埠)包含為允許。Deployment VM, BMC Interface, HLH server NTP Server and DNS server IPs included as Permit based on the protocol and port.
HLH 可從內部存取 (PDU) HLH Internal Accessible (PDU) 流量受限於 BMC 交換器Traffic is limited to BMC Switch
HLH 可外部存取 (OEM 工具 VM) HLH External Accessible (OEM Tool VM) ACL 允許在邊界裝置之外存取。ACL permit access to beyond the border device.
切換管理Switch Mgmt 專用交換器管理介面。Dedicated Switch management interfaces.
書脊管理Spine Mgmt 專用的書脊管理介面。Dedicated Spine management interfaces.
Azure StackAzure Stack Azure Stack 基礎結構服務和 Vm,受限制的網路Azure Stack Infrastructure services and VMs, restricted network
基礎結構Infrastructure
Azure StackAzure Stack Azure Stack 受保護的端點,緊急修復主控台伺服器Azure Stack Protected Endpoint, Emergency Recovery Console Server
基礎結構Infrastructure
Public (PEP/ERCS) Public (PEP/ERCS)
Tor1,Tor2 RouterIPTor1,Tor2 RouterIP 用於 SLB 和交換器/路由器之間的 BGP 對等互連之交換器的回送介面。Loopback interface of the switch used for BGP peering between the SLB and Switch/Router.
儲存體Storage 未在區域外部路由的私人 IpPrivate IPs not routed outside of the Region
內部 VipInternal VIPs 未在區域外部路由的私人 IpPrivate IPs not routed outside of the Region
Public-VIPsPublic-VIPs 由網路控制站管理的租使用者網路位址空間。Tenant network address space managed by the network controller.
公用-系統管理-VipPublic-Admin-VIPs 租使用者集區中需要與 Internal-VIPs 和 Azure Stack 基礎結構溝通的小型位址子集Small subset of addresses in the Tenant pool that are required to talk to Internal-VIPs and Azure Stack Infrastructure
客戶/網際網路Customer/Internet 客戶定義的網路。Customer defined network. 從 Azure Stack 0.0.0.0 的觀點來看,它是邊界裝置。From the perspective of Azure Stack 0.0.0.0 is the border device.
0.0.0.00.0.0.0
DenyDeny 客戶可以更新此欄位,以允許其他網路啟用管理功能。Customer has the ability to update this field to permit additional networks to enable management capabilities.
許可證Permit 允許啟用流量,但預設會停用 SSH 存取。Permit traffic is enabled but SSH is access is disabled by default. 客戶可以選擇啟用 SSH 服務。The customer can choose to enable SSH service.
沒有路由No Route 路由不會在 Azure Stack 環境外傳播。Routes are not propagated outside of the Azure Stack environment.
MUX ACLMUX ACL 使用 Azure Stack MUX Acl。Azure Stack MUX ACLs are utilized.
N/AN/A 不是 VLAN ACL 的一部分。Not a part of a VLAN ACL.

IP 位址指派IP address assignments

在 [部署] 工作表中,系統會要求您提供下列網路位址,以支援 Azure Stack 部署流程。In the Deployment Worksheet, you are asked to provide the following network addresses to support the Azure Stack deployment process. 部署小組會使用部署工作表工具,將 IP 網路細分為系統所需的所有較小網路。The deployment team uses the Deployment Worksheet tool to break out the IP networks into all the smaller networks required by the system. 如需每個網路的詳細說明,請參閱上面的「網路設計與基礎結構」一節。Please refer to the "NETWORK DESIGN AND INFRASTRUCTURE" section above for detailed descriptions of each network.

在此範例中,我們將使用下列值填滿部署工作表的 [網路設定] 索引標籤:In this example, we will fill the Network Settings tab of the Deployment Worksheet with the following values:

  • BMC 網路: 10.193.132.0/27BMC Network: 10.193.132.0 /27

  • 私人網路存放裝置網路 & 內部 Vip: 11.11.128.0/24Private Network Storage Network & Internal VIPs: 11.11.128.0 /24

  • 基礎結構網路: 12.193.130.0/24Infrastructure Network: 12.193.130.0 /24

  • 公用虛擬 IP (VIP) Network: 13.200.132.0/24Public Virtual IP (VIP) Network: 13.200.132.0 /24

  • 交換器基礎結構網路: 10.193.132.128/26Switch Infrastructure Network: 10.193.132.128 /26

當您執行部署工作表工具的 [產生] 功能時,它會在試算表上建立兩個新的索引標籤。When you run the Generate function of the Deployment Worksheet tool, it creates two new tabs on the spreadsheet. 第一個索引標籤是子網摘要,它會顯示已的分割方式,以建立系統所需的所有網路。The first tab is the Subnet Summary and it shows how the supernets were split to create all the networks required by the system. 在下列範例中,只有在此索引標籤上找到的資料行子集。實際的結果會列出每個所列網路的詳細資料:In our example below there is only a subset of the columns found on this tab. The actual result has more details of each network listed:

機架Rack 子網類型Subnet Type 名稱Name IPv4 子網IPv4 Subnet IPv4 位址IPv4 Addresses
框線Border P2P 連結P2P Link P2P_Border/Border1_To_Rack1/TOR1P2P_Border/Border1_To_Rack1/TOR1 10.193.132.128/3010.193.132.128/30 44
框線Border P2P 連結P2P Link P2P_Border/Border1_To_Rack1/TOR2P2P_Border/Border1_To_Rack1/TOR2 10.193.132.132/3010.193.132.132/30 44
框線Border P2P 連結P2P Link P2P_Border/Border2_To_Rack1/TOR1P2P_Border/Border2_To_Rack1/TOR1 10.193.132.136/3010.193.132.136/30 44
框線Border P2P 連結P2P Link P2P_Border/Border2_To_Rack1/TOR2P2P_Border/Border2_To_Rack1/TOR2 10.193.132.140/3010.193.132.140/30 44
框線Border P2P 連結P2P Link P2P_Rack1/TOR1_To_Rack1/BMCP2P_Rack1/TOR1_To_Rack1/BMC 10.193.132.144/3010.193.132.144/30 44
框線Border P2P 連結P2P Link P2P_Rack1/TOR2_To_Rack1/BMCP2P_Rack1/TOR2_To_Rack1/BMC 10.193.132.148/3010.193.132.148/30 44
Rack1Rack1 回送Loopback Loopback0_Rack1_TOR1Loopback0_Rack1_TOR1 10.193.132.152/3210.193.132.152/32 11
Rack1Rack1 回送Loopback Loopback0_Rack1_TOR2Loopback0_Rack1_TOR2 10.193.132.153/3210.193.132.153/32 11
Rack1Rack1 回送Loopback Loopback0_Rack1_BMCLoopback0_Rack1_BMC 10.193.132.154/3210.193.132.154/32 11
Rack1Rack1 P2P 連結P2P Link P2P_Rack1/TOR1-ibgp-1_To_Rack1/TOR2-ibgp-1P2P_Rack1/TOR1-ibgp-1_To_Rack1/TOR2-ibgp-1 10.193.132.156/3010.193.132.156/30 44
Rack1Rack1 P2P 連結P2P Link P2P_Rack1/TOR1-ibgp-2_To_Rack1/TOR2-ibgp-2P2P_Rack1/TOR1-ibgp-2_To_Rack1/TOR2-ibgp-2 10.193.132.160/3010.193.132.160/30 44
Rack1Rack1 VLANVLAN BMCMgmtBMCMgmt 10.193.132.0/2710.193.132.0/27 3232
Rack1Rack1 VLANVLAN SwitchMgmtSwitchMgmt 10.193.132.168/2910.193.132.168/29 88
Rack1Rack1 VLANVLAN CL01-RG01-SU01-StorageCL01-RG01-SU01-Storage 11.11.128.0/2511.11.128.0/25 128128
Rack1Rack1 VLANVLAN CL01-RG01-SU01-基礎CL01-RG01-SU01-Infra 12.193.130.0/2412.193.130.0/24 256256
Rack1Rack1 其他Other CL01-RG01-SU01-VIPCL01-RG01-SU01-VIPS 13.200.132.0/2413.200.132.0/24 256256
Rack1Rack1 其他Other CL01-RG01-SU01-InternalVIPSCL01-RG01-SU01-InternalVIPS 11.11.128.128/2511.11.128.128/25 128128

第二個索引標籤是 IP 位址使用 方式,它會顯示 ip 的取用方式:The second tab is IP Address Usage and it shows how the IPs are consumed:

BMC 網路BMC network

BMC 網路的超網路轉換至少需要/26 個網路。The supernet for the BMC network requires a /26 network at a minimum. 閘道會使用網路中的第一個 IP,以及機架中的 BMC 裝置。The gateway uses the first IP in the network followed by the BMC devices in the rack. 硬體生命週期主機會在此網路上指派多個位址,可用來部署、監視及支援機架。The hardware lifecycle host has multiple addresses assigned on this network and can be used to deploy, monitor, and support the rack. 這些 Ip 會散發成3個群組: DVM、InternalAccessible 和 ExternalAccessible。These IPs are distributed into 3 groups: DVM, InternalAccessible and ExternalAccessible.

  • 機架: Rack1Rack: Rack1
  • 名稱: BMCMgmtName: BMCMgmt
指派至Assigned To IPv4 位址IPv4 Address
網路Network 10.193.132.010.193.132.0
閘道Gateway 10.193.132.110.193.132.1
HLH-BMCHLH-BMC 10.193.132.210.193.132.2
AzS-Node01AzS-Node01 10.193.132.310.193.132.3
AzS-Node02AzS-Node02 10.193.132.410.193.132.4
AzS-Node03AzS-Node03 10.193.132.510.193.132.5
AzS-Node04AzS-Node04 10.193.132.610.193.132.6
ExternalAccessible-1ExternalAccessible-1 10.193.132.1910.193.132.19
ExternalAccessible-2ExternalAccessible-2 10.193.132.2010.193.132.20
ExternalAccessible-3ExternalAccessible-3 10.193.132.2110.193.132.21
ExternalAccessible-4ExternalAccessible-4 10.193.132.2210.193.132.22
ExternalAccessible-5ExternalAccessible-5 10.193.132.2310.193.132.23
InternalAccessible-1InternalAccessible-1 10.193.132.2410.193.132.24
InternalAccessible-2InternalAccessible-2 10.193.132.2510.193.132.25
InternalAccessible-3InternalAccessible-3 10.193.132.2610.193.132.26
InternalAccessible-4InternalAccessible-4 10.193.132.2710.193.132.27
InternalAccessible-5InternalAccessible-5 10.193.132.2810.193.132.28
CL01-RG01-SU01-DVM00CL01-RG01-SU01-DVM00 10.193.132.2910.193.132.29
HLH-OSHLH-OS 10.193.132.3010.193.132.30
廣播Broadcast 10.193.132.3110.193.132.31

儲存體網路Storage network

存放裝置網路是私人網路,因此不會路由傳送到機架之外。The Storage network is a private network and isn’t intended to be routed beyond the rack. 這是第一半的私人網路超網路轉換,它是由交換器所使用,如下表所示。It’s the first half of the Private Network supernet and it’s used by the switch distributed as shown on the table below. 閘道是子網中的第一個 IP。The gateway is the first IP in the subnet. 用於內部 Vip 的第二個部分是由 Azure Stack SLB 管理的位址私人集區,不會顯示在 [IP 位址使用方式] 索引標籤上。這些網路支援 Azure Stack,而 TOR 交換器上有 Acl 可防止這些網路在解決方案之外被公告及/或存取。The second half used for the Internal VIPs is a private pool of addresses that is managed by Azure Stack SLB, is not shown on the IP Address Usage tab. These networks support Azure Stack and there are ACLs on the TOR switches that prevent these networks from been advertised and/or accessed outside the solution.

  • 機架: Rack1Rack: Rack1
  • 名稱: CL01-RG01-SU01-StorageName: CL01-RG01-SU01-Storage
指派至Assigned To IPv4 位址IPv4 Address
網路Network 11.11.128.011.11.128.0
閘道Gateway 11.11.128.111.11.128.1
TOR1TOR1 11.11.128.211.11.128.2
TOR2TOR2 11.11.128.311.11.128.3
廣播Broadcast 11.11.128.12711.11.128.127

Azure Stack 基礎結構網路Azure Stack infrastructure network

基礎結構網路超網路轉換需要/24 網路,而且在執行部署工作表工具之後,這會持續為/24。The infrastructure network supernet requires a /24 network and this continues to be a /24 after the Deployment Worksheet tool runs. 閘道將會是子網中的第一個 IP。The gateway will be the first IP in the subnet.

  • 機架: Rack1Rack: Rack1
  • 名稱: CL01-RG01-SU01-基礎Name: CL01-RG01-SU01-Infra
指派至Assigned To IPv4 位址IPv4 Address
網路Network 12.193.130.012.193.130.0
閘道Gateway 12.193.130.112.193.130.1
TOR1TOR1 12.193.130.212.193.130.2
TOR2TOR2 12.193.130.312.193.130.3
廣播Broadcast 12.193.130.25512.193.130.255

交換器基礎結構網路Switch infrastructure network

基礎結構網路會分成多個實體交換器基礎結構所使用的網路。The infrastructure network is broken into multiple networks used by the physical switch infrastructure. 這不同于僅支援 Azure Stack 軟體的 Azure Stack 基礎結構。This is different from the Azure Stack Infrastructure which only supports the Azure Stack software. 交換器基礎網路僅支援實體交換器基礎結構。The Switch Infra Network supports only the physical switch infrastructure. 基礎結構支援的網路如下:The networks that are supported by infra are:

名稱Name IPv4 子網IPv4 Subnet
P2P_Border/Border1_To_Rack1/TOR1P2P_Border/Border1_To_Rack1/TOR1 10.193.132.128/3010.193.132.128/30
P2P_Border/Border1_To_Rack1/TOR2P2P_Border/Border1_To_Rack1/TOR2 10.193.132.132/3010.193.132.132/30
P2P_Border/Border2_To_Rack1/TOR1P2P_Border/Border2_To_Rack1/TOR1 10.193.132.136/3010.193.132.136/30
P2P_Border/Border2_To_Rack1/TOR2P2P_Border/Border2_To_Rack1/TOR2 10.193.132.140/3010.193.132.140/30
P2P_Rack1/TOR1_To_Rack1/BMCP2P_Rack1/TOR1_To_Rack1/BMC 10.193.132.144/3010.193.132.144/30
P2P_Rack1/TOR2_To_Rack1/BMCP2P_Rack1/TOR2_To_Rack1/BMC 10.193.132.148/3010.193.132.148/30
Loopback0_Rack1_TOR1Loopback0_Rack1_TOR1 10.193.132.152/3210.193.132.152/32
Loopback0_Rack1_TOR2Loopback0_Rack1_TOR2 10.193.132.153/3210.193.132.153/32
Loopback0_Rack1_BMCLoopback0_Rack1_BMC 10.193.132.154/3210.193.132.154/32
P2P_Rack1/TOR1-ibgp-1_To_Rack1/TOR2-ibgp-1P2P_Rack1/TOR1-ibgp-1_To_Rack1/TOR2-ibgp-1 10.193.132.156/3010.193.132.156/30
P2P_Rack1/TOR1-ibgp-2_To_Rack1/TOR2-ibgp-2P2P_Rack1/TOR1-ibgp-2_To_Rack1/TOR2-ibgp-2 10.193.132.160/3010.193.132.160/30
SwitchMgmtSwitchMgmt 10.193.132.168/2910.193.132.168/29
  • 點對點 (P2P) :這些網路允許所有交換器之間的連線。Point-to-point (P2P): These networks allow connectivity between all switches. 子網大小為每個 P2P 的/30 網路。The subnet size is a /30 network for each P2P. 最低 IP 一律會指派給堆疊上的上游 (北) 裝置。The lowest IP is always assigned to the upstream (North) device on the stack.

  • 回送:這些位址是/32 網路,指派給機架中使用的每個交換器。Loopback: These addresses are /32 networks that are assigned to each switch used in the rack. 因為邊界裝置不應為 Azure Stack 解決方案的一部分,所以不會對其指派回送。The border devices are not assigned a loopback since they aren’t expected to be part of the Azure Stack solution.

  • 交換器管理或交換器管理:此/29 網路支援機架中交換器的專用管理介面。Switch Mgmt or Switch Management: This /29 network supports the dedicated management interfaces of the switches in the rack. Ip 的指派方式如下:您也可以在部署工作表的 [IP 位址使用方式] 索引標籤上找到此資料表:The IPs are assigned as follows; this table can also be found on the IP Address Usage tab of the Deployment Worksheet:

  • 機架: Rack1Rack: Rack1

  • 名稱: SwitchMgmtName: SwitchMgmt

指派至Assigned To IPv4 位址IPv4 Address
網路Network 10.193.132.16810.193.132.168
閘道Gateway 10.193.132.16910.193.132.169
TOR1TOR1 10.193.132.17010.193.132.170
TOR2TOR2 10.193.132.17110.193.132.171
廣播Broadcast 10.193.132.17510.193.132.175

準備環境Prepare environment

硬體生命週期主機映射包含用來產生實體網路交換器設定的必要 Linux 容器。The hardware lifecycle host image does contain the required Linux container that is used to generate the physical network switch configuration.

最新的合作夥伴部署工具組包含最新的容器映射。The latest partner deployment toolkit does include the latest container image. 當需要產生更新的交換器設定時,可以取代硬體生命週期主機上的容器映射。The container image on the hardware lifecycle host can be replaced when it is necessary to generate an updated switch configuration.

以下是更新容器映射的步驟:Here are the steps to update the container image:

  1. 下載容器映射Download the container image

  2. 取代下列位置的容器映射Replace the container image at the following location

產生設定Generate configuration

在這裡,我們將逐步引導您完成產生 JSON 檔案和網路交換器設定檔的步驟:Here we will walk you through the steps of generating the JSON files and the Network Switch Configuration files:

  1. 開啟部署工作表Open the Deployment Worksheet

  2. 填滿所有索引標籤上的所有必要欄位Fill all the required fields on all tabs

  3. 在部署工作表上叫用「產生」函數。Invoke the "Generate" function on the Deployment Worksheet.
    系統會建立兩個額外的索引標籤,顯示所產生的 IP 子網和指派。Two extra tabs will be created displaying the generated IP subnets and assignments.

  4. 檢查資料,並在確認後叫用 "Export" 函式。Review the data and once confirmed, invoke the "Export" function.
    系統會提示您提供將儲存 JSON 檔案的資料夾。You will be prompted to provide a folder in which the JSON files will be saved.

  5. 使用 Invoke-SwitchConfigGenerator.ps1 執行容器。Execute the container using the Invoke-SwitchConfigGenerator.ps1. 此腳本需要較高許可權的 PowerShell 主控台來執行,而且需要下列參數才能執行。This script requires an elevated PowerShell console to execute and requires the following parameters to execute.

    • 容器名稱-將產生交換器具名引數的容器名稱。ContainerName – Name of the container that will generate the switch configs.

    • ConfigurationData –從部署工作表匯出之檔案的 ConfigurationData.js路徑。ConfigurationData – Path to the ConfigurationData.json file exported from the Deployment Worksheet.

    • OutputDirectory –輸出目錄的路徑。OutputDirectory – Path to the output directory.

    • 離線–表示腳本是在離線模式中執行的信號。Offline – Signals that the script runs in offline mode.

    C:\\WINDOWS\\system32\> .\\Invoke-SwitchConfigGenerate.ps1 -ContainerName generalonrampacr.azurecr.io/master -ConfigurationData .\\ConfigurationData.json -OutputDirectory c:\\temp -Offline
    

當腳本完成時,它會產生一個 zip 檔案,其中包含工作表中使用的前置詞。When the script completes, it will produce a zip file with the prefix used in the worksheet.

C:\WINDOWS\system32> .\Invoke-SwitchConfigGenerate.ps1 -ContainerName generalonrampacr.azurecr.io/master -ConfigurationData .\ConfigurationData.json -OutputDirectory c:\temp -Offline                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                         
Seconds : 2
Section : Validation
Step    : WindowsRequirement
Status  : True
Detail  : @{CurrentImage=10.0.18363.0}


Seconds : 2
Section : Validation
Step    : DockerService
Status  : True
Detail  : @{Status=Running}


Seconds : 9
Section : Validation
Step    : DockerSetup
Status  : True
Detail  : @{CPU=4; Memory=4139085824; OS=Docker Desktop; OSType=linux}


Seconds : 9
Section : Validation
Step    : DockerImage
Status  : True
Detail  : @{Container=generalonrampacr.azurecr.io/master:1.1910.78.1}


Seconds : 10
Section : Run
Step    : Container
Status  : True
Detail  : @{ID=2a20ba622ef9f58f9bcd069c3b9af7ec076bae36f12c5653f9469b988c01706c; ExternalPort=32768}


Seconds : 38
Section : Generate
Step    : Config
Status  : True
Detail  : @{OutputFile=c:\temp\N22R19.zip}


Seconds : 38
Section : Exit
Step    : StopContainer
Status  : True
Detail  : @{ID=2a20ba622ef9f58f9bcd069c3b9af7ec076bae36f12c5653f9469b988c01706c}

自訂組態Custom configuration

您可以修改 Azure Stack 交換器設定的幾個環境設定。You can modify a few environmental settings for your Azure Stack switch configuration. 您可以在範本中找出您可以變更的設定。You can identify which of the settings you can change in the template. 此文章說明每個可自訂的設定,以及這些變更對您的 Azure Stack 有何影響。This article explains each of those customizable settings, and how the changes can affect your Azure Stack. 這些設定包括密碼更新、syslog 伺服器、SNMP 監視、驗證與存取控制清單。These settings include password update, syslog server, SNMP monitoring, authentication, and the access control list.

在 Azure Stack 解決方案部署期間,原始設備製造商 (OEM) 會同時建立並套用 TORs 與 BMC 的交換器設定。During deployment of the Azure Stack solution, the original equipment manufacturer (OEM) creates and applies the switch configuration for both TORs and BMC. OEM 會使用 Azure Stack 自動化工具來驗證這些裝置上的必要設定是否正確設定。The OEM uses the Azure Stack automation tool to validate that the required configurations are properly set on these devices. 設定是以 Azure Stack 部署工作表中的資訊為基礎。The configuration is based the information in your Azure Stack Deployment Worksheet.

注意

請勿 在 OEM 或 Microsoft Azure Stack 工程小組同意的情況下修改設定。Do not alter the configuration without consent from either the OEM or the Microsoft Azure Stack engineering team. 網路裝置設定的變更可能會大幅影響 Azure Stack 執行個體中網路問題的作業或疑難排解。A change to the network device configuration can significantly impact the operation or troubleshooting of network issues in your Azure Stack instance. 如需有關網路裝置上這些功能的詳細資訊,請連絡您的 OEM 硬體提供者或 Microsoft 支援服務。For more information about these functions on your network device, how to make these changes, please contact your OEM hardware provider or Microsoft support. 您的 OEM 具有以您的 Azure Stack 部署工作表為基礎的自動化工具所建立的設定檔。Your OEM has the configuration file created by the automation tool based on your Azure Stack deployment worksheet.

不過,有一些值可以在網路交換器設定上新增、移除或變更。However, there are some values that can be added, removed, or changed on the configuration of the network switches.

密碼更新Password update

操作員可以隨時更新網路交換器上任何使用者的密碼。The operator may update the password for any user on the network switches at any time. 不需要變更 Azure Stack 系統上的任何資訊,或使用在 Azure Stack 中輪替使用祕密的步驟。There isn't a requirement to change any information on the Azure Stack system, or to use the steps for Rotate secrets in Azure Stack.

Syslog 伺服器Syslog server

操作員可以將交換器記錄檔重新導向至其資料中心的 syslog 伺服器。Operators can redirect the switch logs to a syslog server on their datacenter. 使用此設定可確保來自特定時間點的記錄可用於進行疑難排解。Use this configuration to ensure that the logs from a particular point in time can be used for troubleshooting. 根據預設,記錄檔會儲存在交換器上;其儲存記錄的容量有限。By default, the logs are stored on the switches; their capacity for storing logs is limited. 如需如何設定交換器管理存取權的概觀,請參閱存取控制清單更新一節。Check the Access control list updates section for an overview of how to configure the permissions for switch management access.

SNMP 監視SNMP monitoring

操作員可以設定簡易網路管理通訊協定 (SNMP) v2 或 v3 來監視網路裝置,並將陷阱傳送到資料中心上的網路監視應用程式。The operator can configure simple network management protocol (SNMP) v2 or v3 to monitor the network devices and send traps to a network monitoring application on the datacenter. 基於安全性理由,請使用 SNMPv3,因為它比 v2 更安全。For security reasons, use SNMPv3 since it is more secure than v2. 請連絡您的 OEM 硬體提供者,以取得所需的 MIB 與設定。Consult your OEM hardware provider for the MIBs and configuration required. 如需如何設定交換器管理存取權的概觀,請參閱存取控制清單更新一節。Check the Access control list updates section for an overview of how to configure the permissions for switch management access.

驗證Authentication

操作員可以設定 RADIUS 或 TACACS 來管理網路裝置上的驗證。The operator can configure either RADIUS or TACACS to manage authentication on the network devices. 請連絡您的 OEM 硬體提供者,以取得所需的支援方法與設定。Consult your OEM hardware provider for supported methods and configuration required. 如需如何設定交換器管理存取權的概觀,請參閱存取控制清單更新一節。Check the Access control list updates section for an overview of how to configure the permissions for Switch Management access.

存取控制清單更新Access control list updates

操作員可以變更某些存取控制清單 (ACL),以允許從受信任的資料中心網路範圍存取網路裝置管理介面與硬體生命週期主機 (HLH)。The operator can change some access control list (ACL)s to allow access to network device management interfaces and the hardware lifecycle host (HLH) from a trusted datacenter network range. 操作員可以挑選可連線的元件,以及連線位置。The operator can pick which component will be reachable and from where. 使用存取控制清單時,操作員可以允許特定網路範圍內的管理 Jumpbox VM 存取交換器管理介面、HLH OS 與 HLH BMC。With the access control list, The operator can allow their management jumpbox VMs within a specific network range to access the switch management interface, and the HLH OS, and the HLH BMC.

如需詳細資訊,請參閱 實體交換器存取控制清單For further details see Physical switch access control list.

TACACS、RADIUS 和 SyslogTACACS, RADIUS and Syslog

Azure Stack 解決方案不會隨附 TACACS 或 RADIUS 解決方案來控制裝置(例如交換器和路由器)的存取控制,也不會提供 Syslog 解決方案來捕捉交換器記錄,但所有這些裝置都支援這些服務。The Azure Stack solution will not be shipped with a TACACS or RADIUS solution for access control of devices like the switches and routers, nor a Syslog solution to capture switch logs, but all these devices support those services. 為了協助您在環境中整合現有的 TACACS、RADIUS 和/或 Syslog 伺服器,我們會提供額外的檔案,其中包含網路交換器設定,可讓工程師現場自訂切換至客戶的需求。To help integrate with an existing TACACS, RADIUS and/or Syslog server on your environment, we will provide an extra file with the Network Switch Configuration which will allow the engineer onsite to customize the switch to the customer’s needs.

後續步驟Next steps

網路整合Network integration