網絡全流量採集與分析在網絡領域具有多方面的重要價值,其應用在網絡性能優化、故障排除與診斷、網絡行為分析、網絡安全分析等領域的價值已經得到了網絡管理人員的普遍認可。
但是在本地電腦上通常無法直接抓取到其他主機之間通信的流量,主要原因與網絡的硬件設備工作原理和網卡的工作模式密切相關,包括網卡工作模式限制、交換機的轉發機制、網絡分段等因素。
全流量採集方式有哪些
為了實現對網絡全流量的採集,需要根據不同的網絡環境和需求,採用合適的採集方式。以下是幾種常見的全流量採集方式:
基於集線器(Hub)的採集方式、交換機端口鏡像(Port Mirroring)、網絡分流器(Network Tap)、基於軟件的旁路採集方式、基於虛擬網絡的採集方式等。
綜上所述,不同的全流量採集方式各有優缺點,在實際應用中,需要根據網絡規模、網絡架構、採集需求和成本等因素選擇合適的採集方式。交換機端口鏡像由於其靈活性和適用性,是目前最常用的全流量採集方式之一。
什麼是交換機端口鏡像
交換機端口鏡像是一種常用的全流量採集方式,它通過在交換機上配置鏡像端口,將一個或多個源端口(或VLAN)的流量複製到一個或多個指定的鏡像端口,然後將採集設備連接到鏡像端口,即可捕獲到源端口的所有流量。端口鏡像可以分為本地端口鏡像和遠程端口鏡像(RSPAN)。本地端口鏡像適用於同一交換機上的端口鏡像,而遠程端口鏡像則可以跨交換機進行流量鏡像,通過專用的RSPAN VLAN傳輸鏡像流量。這種採集方式的優點是不會影響網絡的正常運行,能夠準確捕獲到指定端口或VLAN的全流量,適用於各種規模的網絡環境。
下面我們就以常見的交換機品牌為例,進行交換機端口鏡像的配置演示。
常見交換機端口鏡像配置
(以下內容僅作為示例供參考)
華為配置本地端口鏡像
1、配置鏡像目的端口
<Huawei> system-view
[Huawei]
observe-port 1 interface G0/0/12、配置鏡像源端口
[Huawei] interface G0/0/2
[Huawei-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound
[Huawei-GigabitEthernet0/0/2] quit3、檢查配置結果
[Huawei]display port-mirroring配置遠程端口鏡像
1、配置RSPAN專用VLAN
<Huawei1> system-view
[Huawei1] vlan 10
[Huawei1-vlan10] remote-probe vlan enable
[Huawei1-vlan10] quit
<Huawei2> system-view
[Huawei2] vlan 10
[Huawei2-vlan10] remote-probe vlan enable
[Huawei2-vlan10] quit2、配置鏡像源設備
[Huawei1] mirroring-group 1 remote-source
[Huawei1] mirroring-group 1 mirroring-port G0/0/2 both
[Huawei1] mirroring-group 1 reflector-port G0/0/1
[Huawei1] mirroring-group 1 remote-probe vlan 103、配置鏡像目標設備
[Huawei2] mirroring-group 1 remote-destination
[Huawei2] mirroring-group 1 monitor-port G0/0/3
[Huawei2] mirroring-group 1 remote-probe vlan 10配置封裝的遠程端口鏡像
1、配置鏡像源設備
<Huawei1> system-view
[Huawei1] interface GigabitEthernet0/0/2
[Huawei1-GigabitEthernet0/0/2] port-mirroring to observe-port 1 inbound
[Huawei1-GigabitEthernet0/0/2] quit
[Huawei1] mirror to erspan-source
[Huawei1-mirror-erspan-source] source-ip 10.3.5.8
[Huawei1-mirror-erspan-source] destination-ip 10.35.8.1
[Huawei1-mirror-erspan-source] erspan-id 100
[Huawei1-mirror-erspan-source] quit2、配置鏡像目標設備
<Huawei2> system-view
[Huawei2] observe-port 1 interface GigabitEthernet0/0/2
[Huawei2] mirror to erspan-destination
[Huawei2-mirror-erspan-destination] source-ip 10.3.5.8
[Huawei2-mirror-erspan-destination] destination-ip 10.35.8.1
[Huawei2-mirror-erspan-destination] erspan-id 100
[Huawei2-mirror-erspan-destination] quit配置流鏡像配置本地VLAN流鏡像
1、配置鏡像目的端口
[Huawei] observe-port 1 interface G0/0/32、配置鏡像源VLAN
[Huawei] vlan 10
[Huawei-vlan10] mirroring observe-port 1 inbound
[Huawei-vlan10] quit3、配置本地基於MQC的流鏡像
<Huawei> system-view
[Huawei] acl 3000
[Huawei-acl-adv-3000] rule permit tcp source 10.1.1.10 0 destination-port eq 80
[Huawei -acl-adv-3000] quit
[Huawei] traffic classifier mirror-class
[Huawei-classifier-mirror-class] if-match acl 3000
[Huawei-classifier-mirror-class] quit
[Huawei] observe-port 1 interface GigabitEthernet 0/0/3
[Huawei] traffic behavior ABC
[Huawei-ABC-behavior] mirroring observe-port 1
[Huawei] quit
[Huawei] traffic policy mirror-policy
[Huawei-policy-mirror-policy] classifier mirror-class behavior ABC
[Huawei-policy-mirror-policy] quit
[Huawei] interface GigabitEthernet 0/0/1
[Huawei-GigabitEthernet0/0/1] traffic-policy mirror-policy inbound
[Huawei-GigabitEthernet0/0/1] quit
華三配置本地端口鏡像
1、配置鏡像源端口
<H3C> system-view
[H3C] mirroring-group 1 local
[H3C] interface gigabitEthernet 1/1/1
[H3C-GigabitEthernet1/1/1] mirroring-port both
[H3C-GigabitEthernet1/1/1] quit2、配置鏡像目的端口
[H3C] interface GigabitEthernet 1/1/2
[H3C-GigabitEthernet1/1/2] monitor-port
[H3C-GigabitEthernet1/1/2] quit配置遠程端口鏡像
1、配置鏡像源交換機
<H3C1> system-view
[H3C1] vlan 10
[H3C1-vlan10] remote-probe vlan enable
[H3C1-vlan10] quit
[H3C1] interface GigabitEthernet 1/1/1
[H3C1-GigabitEthernet1/1/1] port link-type trunk
[H3C1-GigabitEthernet1/1/1] port trunk permit vlan 10
[H3C1-GigabitEthernet1/1/1] quit
[H3C1] mirroring-group 1 remote-source
[H3C1] mirroring-group 1 mirroring-port GigabitEthernet 1/1/2 inbound
[H3C1] mirroring-group 1 reflector-port GigabitEthernet 1/1/1
[H3C1] mirroring-group 1 remote-probe vlan 10
[H3C1] display mirroring-group remote-destination2、配置鏡像目標交換機
<H3C2> system-view
[H3C2] vlan 10
[H3C2-vlan10] remote-probe vlan enable
[H3C2-vlan10] quit
[H3C2] interface GigabitEthernet 1/1/1
[H3C2-GigabitEthernet1/1/1] port link-type trunk
[H3C2-GigabitEthernet1/1/1] port trunk permit vlan 10
[H3C2-GigabitEthernet1/1/1] quit
[H3C2] mirroring-group 1 remote-destination
[H3C2] mirroring-group 1 monitor-port GigabitEthernet 1/1/2
[H3C2] mirroring-group 1 remote-probe vlan 10
[H3C] display mirroring-group remote-destination配置封裝的遠程端口鏡像
1、配置鏡像源設備
<H3C1> system-view
[H3C1] mirroring-group 1 remote-source
[H3C1] mirroring-group 1 mirroring-port GigabitEthernet1/0/1 inbound
[H3C1] mirroring-group 1 remote-probe ip source 192.168.1.1 destination 192.168.2.1
[H3C1] mirroring-group 1 remote-probe erspan-id 1002、配置鏡像目標設備
<H3C2> system-view
[H3C2] mirroring-group 1 remote-destination
[H3C2] mirroring-group 1 remote-probe ip source 192.168.1.1 destination 192.168.2.1
[H3C2] mirroring-group 1 remote-probe erspan-id 100
[H3C2] mirroring-group 1 monitor-port GigabitEthernet1/0/243、配置流鏡像
[H3C] acl advanced 3000
[H3C -acl-ipv4-adv-3000] rule permit ip source 10.3.58.0 0.0.0.255 destination 192.168.1.0 0.0.0.255
[H3C -acl-ipv4-adv-3000] quit
[H3C] traffic classifier Class_1
[H3C -classifier-Class_1] if-match acl 3000
[H3C -classifier-Class_1] quit
[H3C] traffic behavior Class_2
[H3C-behavior-Class_2] mirror-to interface g0/0/1
[H3C-behavior-Class_2] quit
[H3C] qos policy Class_3
[H3C-qospolicy-Class_3] classifier Class_1 behavior Class_2
[H3C-qospolicy-Class_3] quit
[H3C] interface G0/0/6
[H3C -G0/0/6] qos apply policy Class_3 inbound
[H3C-G0/0/6] quit
鋭捷配置本地端口鏡像
1、配置鏡像源端口
Ruijie> enable
Ruijie# configure terminal
Ruijie(config)# monitor session 1 source interface gigabitEthernet 0/12、配置鏡像目的端口
Ruijie(config)# monitor session 1 destination interface gigabitEthernet 0/23、驗證命令
Ruijie# show monitor配置遠程端口鏡像
1、配置鏡像源設備
Ruijie1> enable
Ruijie1# configure terminal
Ruijie1 (config)# vlan 7
Ruijie1 (config-vlan)# remote-span
Ruijie1 (config-vlan)# exit
Ruijie1 (config)# monitor session 1 remote-source
Ruijie1 (config)# monitor session 1 source interface G0/0/2 both
Ruijie1 (config)# monitor session 1 destination remote vlan 7 interface G0/0/1 switch
Ruijie1 (config)# interface G0/0/5
Ruijie1 (config-if)# mac-loopback
Ruijie1 (config-if)# switchport access vlan 7
Ruijie1 (config-if)# exit
Ruijie1 (config)# interfaceG0/0/1
Ruijie1 (config-if-range)# switchport mode trunk2、配置鏡像目標設備
Ruijie2> enable
Ruijie2# configure terminal
Ruijie2 (config)# vlan 7
Ruijie2 (config-vlan)# remote-span
Ruijie2 (config-vlan)# exit
Ruijie2 (config)# monitor session 1 remote-destination
Ruijie2 (config)# monitor session 1 destination remote vlan 7 interface G0/0/3
Ruijie2 (config)# interface G0/0/1
Ruijie2 (config-if)# switchport mode trunk3、配置封裝的遠程端口鏡像
Ruijie> enable
Ruijie# configure terminal
Ruijie(config)#monitor session 1 erspan-source
Ruijie(config-mon-erspan-src)#source interface G0/0/2 both
Ruijie(config-mon-erspan-src)#origin ip address 10.3.5.8
Ruijie(config-mon-erspan-src)#destination ip address 10.35.8.1004、配置流鏡像
Ruijie> enable
Ruijie# configure terminal
Ruijie (config)#ip access-list extended ruijie
Ruijie (config-ext-nacl)#permit ip 192.168.10.0 0.0.0.255 any
Ruijie (config-ext-nacl)#exit
Ruijie (config)#monitor session 1 source interface gigabitEthernet 0/1 tx
Ruijie (config)#monitor session 1 source interface gigabitEthernet 0/1 rx acl ruijie
Ruijie (config)#monitor session 1 destination interface gigabitEthernet 0/24
Ruijie (config)#end
思科配置本地端口鏡像
1、配置鏡像源端口
Cisco>enable
Cisco#configure terminal
Cisco (config)monitor session 1 source interface G0/22、配置鏡像目的端口
Cisco (config)monitor session 1 destination interface G0/13、配置鏡像類型被本地端口鏡像
Cisco (config)monitor session 1 type local
Cisco (config)source interface G0/2
Cisco (config)destination interface G0/24
Cisco (config)end配置遠程端口鏡像
1、配置RSPAN專用VLAN
Cisco1>enable
Cisco1# configure terminal
Cisco1(config)# vlan 200
Cisco1(config-vlan)# remote-span
Cisco1(config-vlan)# end
Cisco1# show vlan remote-span
Cisco2>enable
Cisco2# configure terminal
Cisco2(config)# vlan 200
Cisco2(config-vlan)# remote-span
Cisco2(config-vlan)# end
Cisco2# show vlan remote-span2、配置鏡像源設備
Cisco1>enable
Cisco1# configure terminal
Cisco1(config)# monitor session 1 source interface G0/2 rx
Cisco1(config)# monitor session 1 destination remote vlan 200
Cisco1(config)# monitor session 1 reflector-port G0/1
Cisco1(config)# exit3、配置鏡像目標設備
Cisco2>enable
Cisco2# configure terminal
Cisco2(config)# monitor session 1 source remote vlan 200
Cisco2(config)# monitor session 1 destination interface G0/2
Cisco2(config)# exit
配置封裝的遠程端口鏡像
1、配置鏡像源設備
Cisco1>enable
Cisco1# configure terminal
Cisco1(config)# monitor session 1 type erspan-source
Cisco1(config-mon-erspan-src)# source interface gig0/1/0 rx
Cisco1(config-mon-erspan-src)# no shutdown
Cisco1(config-mon-erspan-src)# destination
Cisco1(config-mon-erspan-src-dst)# erspan-id 101
Cisco1(config-mon-erspan-src-dst)# ip address 10.1.1.1
Cisco1(config-mon-erspan-src-dst)# origin ip address 172.16.1.12、配置鏡像目標設備
Cisco2>enable
Cisco2# configure terminal
Cisco2(config)# monitor session 2 type erspan-destination
Cisco2(config-mon-erspan-dst)# destination interface gigabitEthernet2/2/1
Cisco2(config-mon-erspan-dst)# no shutdown
Cisco2(config-mon-erspan-dst)# source
Cisco2(config-mon-erspan-dst-src)# erspan-id 101
Cisco2(config-mon-erspan-dst-src)# ip address 10.1.1.13、配置流鏡像
Cisco> enable
Cisco# configure terminal
Cisco (config)#ip access 1 permit 192.168.1.0 0.0.0.255
Cisco (config)# monitor session 2 source interface G0/1
Cisco (config)# monitor session 2 destination interface G0/2 encapsulation replicate
Cisco (config)# monitor session 2 filter ip access-group 1
Cisco (config)# end
