网络全流量采集与分析在网络领域具有多方面的重要价值,其应用在网络性能优化、故障排除与诊断、网络行为分析、网络安全分析等领域的价值已经得到了网络管理人员的普遍认可。
但是在本地电脑上通常无法直接抓取到其他主机之间通信的流量,主要原因与网络的硬件设备工作原理和网卡的工作模式密切相关,包括网卡工作模式限制、交换机的转发机制、网络分段等因素。
全流量采集方式有哪些
为了实现对网络全流量的采集,需要根据不同的网络环境和需求,采用合适的采集方式。以下是几种常见的全流量采集方式:
基于集线器(Hub)的采集方式、交换机端口镜像(Port Mirroring)、网络分流器(Network Tap)、基于软件的旁路采集方式、基于虚拟网络的采集方式等。
综上所述,不同的全流量采集方式各有优缺点,在实际应用中,需要根据网络规模、网络架构、采集需求和成本等因素选择合适的采集方式。
什么是交换机端口镜像
交换机端口镜像是一种常用的全流量采集方式,它通过在交换机上配置镜像端口,将一个或多个源端口(或VLAN)的流量复制到一个或多个指定的镜像端口,然后将采集设备连接到镜像端口,即可捕获到源端口的所有流量。端口镜像可以分为本地端口镜像和远程端口镜像(RSPAN)。本地端口镜像适用于同一交换机上的端口镜像,而远程端口镜像则可以跨交换机进行流量镜像,通过专用的RSPAN VLAN传输镜像流量。这种采集方式的优点是不会影响网络的正常运行,能够准确捕获到指定端口或VLAN的全流量,适用于各种规模的网络环境。
下面我们就以常见的交换机品牌为例,进行交换机端口镜像的配置演示。
常见交换机端口镜像配置
① 华为
配置本地端口镜像
1、配置镜像目的端口
<Huawei> system-view
[Huawei]
observe-port 1 interface G0/0/1
2、配置镜像源端口
[Huawei] interface G0/0/2
[Huawei-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound
[Huawei-GigabitEthernet0/0/2] quit
3、检查配置结果
[Huawei]display port-mirroring
配置远程端口镜像
1、配置RSPAN专用VLAN
<Huawei1> system-view
[Huawei1] vlan 10
[Huawei1-vlan10] remote-probe vlan enable
[Huawei1-vlan10] quit
<Huawei2> system-view
[Huawei2] vlan 10
[Huawei2-vlan10] remote-probe vlan enable
[Huawei2-vlan10] quit
2、配置镜像源设备
[Huawei1] mirroring-group 1 remote-source
[Huawei1] mirroring-group 1 mirroring-port G0/0/2 both
[Huawei1] mirroring-group 1 reflector-port G0/0/1
[Huawei1] mirroring-group 1 remote-probe vlan 10
3、配置镜像目标设备
[Huawei2] mirroring-group 1 remote-destination
[Huawei2] mirroring-group 1 monitor-port G0/0/3
[Huawei2] mirroring-group 1 remote-probe vlan 10
配置封装的远程端口镜像
1、配置镜像源设备
<Huawei1> system-view
[Huawei1] interface GigabitEthernet0/0/2
[Huawei1-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound
[Huawei1-GigabitEthernet0/0/2] quit
[Huawei1] mirror to erspan-source
[Huawei1-mirror-erspan-source] source-ip 10.3.5.8
[Huawei1-mirror-erspan-source] destination-ip 10.35.8.1
[Huawei1-mirror-erspan-source] erspan-id 100
[Huawei1-mirror-erspan-source] quit
2、配置镜像目标设备
<Huawei2> system-view
[Huawei2] observe-port 1 interface GigabitEthernet0/0/2
[Huawei2] mirror to erspan-destination
[Huawei2-mirror-erspan-destination] source-ip 10.3.5.8
[Huawei2-mirror-erspan-destination] destination-ip 10.35.8.1
[Huawei2-mirror-erspan-destination] erspan-id 100
[Huawei2-mirror-erspan-destination] quit
配置流镜像:配置本地VLAN流镜像
1、配置镜像目的端口
[Huawei] observe-port 1 interface G0/0/3
2、配置镜像源VLAN
[Huawei] vlan 10
[Huawei-vlan10] mirroring observe-port 1 inbound
[Huawei-vlan10] quit
配置本地基于MQC的流镜像
<Huawei> system-view
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule permit tcp source 10.1.1.10 0 destination-port eq 80
[Huawei -acl-adv-3000] quit
[Huawei] traffic classifier mirror-class
[Huawei-classifier-mirror-class] if-match acl 3000
[Huawei-classifier-mirror-class] quit
[Huawei] observe-port 1 interface GigabitEthernet 0/0/3
[Huawei] traffic behavior ABC
[Huawei-ABC-behavior] mirroring observe-port 1
[Huawei] quit
[Huawei] traffic policy mirror-policy
[Huawei-policy-mirror-policy] classifier mirror-class behavior ABC
[Huawei-policy-mirror-policy] quit
[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy mirror-policy inbound
[Huawei-GigabitEthernet0/0/1] quit
② 华三
配置本地端口镜像
1、配置镜像源端口
<H3C> system-view
[H3C] mirroring-group 1 local
[H3C] interface gigabitEthernet 1/1/1
[H3C-GigabitEthernet1/1/1] mirroring-port both
[H3C-GigabitEthernet1/1/1] quit
2、配置镜像目的端口
[H3C] interface GigabitEthernet 1/1/2
[H3C-GigabitEthernet1/1/2] monitor-port
[H3C-GigabitEthernet1/1/2] quit
配置远程端口镜像
1、配置镜像源交换机
<H3C1> system-view
[H3C1] vlan 10
[H3C1-vlan10] remote-probe vlan enable
[H3C1-vlan10] quit
[H3C1] interface GigabitEthernet 1/1/1
[H3C1-GigabitEthernet1/1/1] port link-type trunk
[H3C1-GigabitEthernet1/1/1] port trunk permit vlan 10
[H3C1-GigabitEthernet1/1/1] quit
[H3C1] mirroring-group 1 remote-source
[H3C1] mirroring-group 1 mirroring-port GigabitEthernet 1/1/2 inbound
[H3C1] mirroring-group 1 reflector-port GigabitEthernet 1/1/1
[H3C1] mirroring-group 1 remote-probe vlan 10
[H3C1] display mirroring-group remote-destination
2、配置镜像目标交换机
<H3C2> system-view
[H3C2] vlan 10
[H3C2-vlan10] remote-probe vlan enable
[H3C2-vlan10] quit
[H3C2] interface GigabitEthernet 1/1/1
[H3C2-GigabitEthernet1/1/1] port link-type trunk
[H3C2-GigabitEthernet1/1/1] port trunk permit vlan 10
[H3C2-GigabitEthernet1/1/1] quit
[H3C2] mirroring-group 1 remote-destination
[H3C2] mirroring-group 1 monitor-port GigabitEthernet 1/1/2
[H3C2] mirroring-group 1 remote-probe vlan 10
[H3C] display mirroring-group remote-destination
配置封装的远程端口镜像
1、配置镜像源设备
<H3C1> system-view
[H3C1] mirroring-group 1 remote-source
[H3C1] mirroring-group 1 mirroring-port GigabitEthernet1/0/1 inbound
[H3C1] mirroring-group 1 remote-probe ip source 192.168.1.1 destination 192.168.2.1
[H3C1] mirroring-group 1 remote-probe erspan-id 100
2、配置镜像目标设备
<H3C2> system-view
[H3C2] mirroring-group 1 remote-destination
[H3C2] mirroring-group 1 remote-probe ip source 192.168.1.1 destination 192.168.2.1
[H3C2] mirroring-group 1 remote-probe erspan-id 100
[H3C2] mirroring-group 1 monitor-port GigabitEthernet1/0/24
配置流镜像
[H3C] acl advanced 3000
[H3C -acl-ipv4-adv-3000] rule permit ip source 10.3.58.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[H3C -acl-ipv4-adv-3000] quit
[H3C] traffic classifier Class_1
[H3C -classifier-Class_1] if-match acl 3000
[H3C -classifier-Class_1] quit
[H3C] traffic behavior Class_2
[H3C-behavior-Class_2] mirror-to interface g0/0/1
[H3C-behavior-Class_2] quit
[H3C] qos policy Class_3
[H3C-qospolicy-Class_3] classifier Class_1 behavior Class_2
[H3C-qospolicy-Class_3] quit
[H3C] interface G0/0/6
[H3C -G0/0/6] qos apply policy Class_3 inbound
[H3C-G0/0/6] quit
③ 锐捷
配置本地端口镜像
1、配置镜像源端口
Ruijie> enable
Ruijie# configure terminal
Ruijie(config)# monitor session 1 source interface gigabitEthernet 0/1
2、配置镜像目的端口
Ruijie(config)# monitor session 1 destination interface gigabitEthernet 0/2
3、验证命令
Ruijie# show monitor
配置远程端口镜像
1、配置镜像源设备
Ruijie1> enable
Ruijie1# configure terminal
Ruijie1 (config)# vlan 7
Ruijie1 (config-vlan)# remote-span
Ruijie1 (config-vlan)# exit
Ruijie1 (config)# monitor session 1 remote-source
Ruijie1 (config)# monitor session 1 source interface G0/0/2 both
Ruijie1 (config)# monitor session 1 destination remote vlan 7 interface G0/0/1 switch
Ruijie1 (config)# interface G0/0/5
Ruijie1 (config-if)# mac-loopback
Ruijie1 (config-if)# switchport access vlan 7
Ruijie1 (config-if)# exit
Ruijie1 (config)# interfaceG0/0/1
Ruijie1 (config-if-range)# switchport mode trunk
2、配置镜像目标设备
Ruijie2> enable
Ruijie2# configure terminal
Ruijie2 (config)# vlan 7
Ruijie2 (config-vlan)# remote-span
Ruijie2 (config-vlan)# exit
Ruijie2 (config)# monitor session 1 remote-destination
Ruijie2 (config)# monitor session 1 destination remote vlan 7 interface G0/0/3
Ruijie2 (config)# interface G0/0/1
Ruijie2 (config-if)# switchport mode trunk
配置封装的远程端口镜像
Ruijie> enable
Ruijie# configure terminal
Ruijie(config)#monitor session 1 erspan-source
Ruijie(config-mon-erspan-src)#source interface G0/0/2 both
Ruijie(config-mon-erspan-src)#origin ip address 10.3.5.8
Ruijie(config-mon-erspan-src)#destination ip address 10.35.8.100
配置流镜像
Ruijie> enable
Ruijie# configure terminal
Ruijie (config)#ip access-list extended ruijie
Ruijie (config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any
Ruijie (config-ext-nacl)#exit
Ruijie (config)#monitor session 1 source interface gigabitEthernet 0/1 tx
Ruijie (config)#monitor session 1 source interface gigabitEthernet 0/1 rx acl ruijie
Ruijie (config)#monitor session 1 destination interface gigabitEthernet 0/24
Ruijie (config)#end
④ 思科
配置本地端口镜像
1、配置镜像源端口
Cisco>enable
Cisco#configure terminal
Cisco (config)monitor session 1 source interface G0/2
2、配置镜像目的端口
Cisco (config)monitor session 1 destination interface G0/1
3、配置镜像类型被本地端口镜像
Cisco (config)monitor session 1 type local
Cisco (config)source interface G0/2
Cisco (config)destination interface G0/24
Cisco (config)end
配置远程端口镜像
1、配置RSPAN专用VLAN
Cisco1>enable
Cisco1# configure terminal
Cisco1(config)# vlan 200
Cisco1(config-vlan)# remote-span
Cisco1(config-vlan)# end
Cisco1# show vlan remote-span
Cisco2>enable
Cisco2# configure terminal
Cisco2(config)# vlan 200
Cisco2(config-vlan)# remote-span
Cisco2(config-vlan)# end
Cisco2# show vlan remote-span
2、配置镜像源设备
Cisco1>enable
Cisco1# configure terminal
Cisco1(config)# monitor session 1 source interface G0/2 rx
Cisco1(config)# monitor session 1 destination remote vlan 200
Cisco1(config)# monitor session 1 reflector-port G0/1
Cisco1(config)# exit
3、配置镜像目标设备
Cisco2>enable
Cisco2# configure terminal
Cisco2(config)# monitor session 1 source remote vlan 200
Cisco2(config)# monitor session 1 destination interface G0/2
Cisco2(config)# exit
配置封装的远程端口镜像
1、配置镜像源设备
Cisco1>enable
Cisco1# configure terminal
Cisco1(config)# monitor session 1 type erspan-source
Cisco1(config-mon-erspan-src)# source interface gig0/1/0 rx
Cisco1(config-mon-erspan-src)# no shutdown
Cisco1(config-mon-erspan-src)# destination
Cisco1(config-mon-erspan-src-dst)# erspan-id 101
Cisco1(config-mon-erspan-src-dst)# ip address 10.1.1.1
Cisco1(config-mon-erspan-src-dst)# origin ip address 172.16.1.1
2、配置镜像目标设备
Cisco2>enable
Cisco2# configure terminal
Cisco2(config)# monitor session 2 type erspan-destination
Cisco2(config-mon-erspan-dst)# destination interface gigabitEthernet2/2/1
Cisco2(config-mon-erspan-dst)# no shutdown
Cisco2(config-mon-erspan-dst)# source
Cisco2(config-mon-erspan-dst-src)# erspan-id 101
Cisco2(config-mon-erspan-dst-src)# ip address 10.1.1.1
配置流镜像
Cisco> enable
Cisco# configure terminal
Cisco (config)#ip access 1 permit 192.168.1.0 0.0.0.255
Cisco (config)# monitor session 2 source interface G0/1
Cisco (config)# monitor session 2 destination interface G0/2 encapsulation replicate
Cisco (config)# monitor session 2 filter ip access-group 1
Cisco (config)# end
文章目录
评论抢沙发