1.创建本地镜像组[SW]mirroring-group 1 local2.配置本地镜像组1的源端口为GE1/0/2和GE1/0/3,并镜像两端口的双向流量。[SW]mirroring-group 1 mirroring-port GigabitEthernet 1/0/2 to GigabitEthernet 1/0/3 both3.配置本地镜像目的观察端口为GE1/0/4。[SW]mirroring-group 1 monitor-port GigabitEthernet 1/0/44.在目的端口GE1/0/4上关闭生成树协议,以免影响镜像功能的正常使用。[SW]interface GigabitEthernet 1/0/4[SW-GigabitEthernet1/0/4]undo stp enable如图1所示,用户有两台监控分析设备,一台是分析仪,另一台是IDS(Intrusion Detection System,入侵检测系统)设备。用户希望能对来自互联网的流量同时进行分析和入侵检测。本组网中的Device设备不支持一个端口被多个本地镜像组用作源端口。
# 创建远程源镜像组。 system-view[Device] mirroring-group 1 remote-source# 创建VLAN 2。[Device] vlan 2[Device-vlan2] quit# 为远程源镜像组配置远程镜像VLAN、源端口和反射口。[Device] mirroring-group 1 remote-probe vlan 2[Device] mirroring-group 1 mirroring-port ethernet 1/1 inbound[Device] mirroring-group 1 reflector-port ethernet 1/2在远程镜像VLAN中添加监控端口# 将端口Ethernet1/3加入远程镜像VLAN。[Device] interface ethernet 1/3[Device-Ethernet1/3] port access vlan 2[Device-Ethernet1/3] quit# 将端口Ethernet1/4加入远程镜像VLAN。[Device] interface ethernet 1/4[Device-Ethernet1/4] port access vlan 2 如图2所示,用户只有一台分析仪,但希望能够监控分析来自互联网和局域网的流量。使用的三台Device均为二层设备。为实现对流量的准确分析,要求避免来自互联网和局域网的流量互相影响。
(1) 配置远程源镜像组# 创建远程源镜像组1。 system-view[DeviceA] mirroring-group 1 remote-source# 创建VLAN 2。[DeviceA] vlan 2[DeviceA-vlan2] quit# 为远程源镜像组配置远程镜像VLAN、源端口和反射口。[DeviceA] mirroring-group 1 remote-probe vlan 2[DeviceA] mirroring-group 1 mirroring-port ethernet 1/1 inbound[DeviceA] mirroring-group 1 reflector-port ethernet 1/2(2) 配置连接Device C的端口# 配置端口Ethernet1/3为Trunk端口。[DeviceA] interface ethernet 1/3[DeviceA-Ethernet1/3] port link-type trunk# 配置端口Ethernet1/3允许通过远程镜像VLAN。[DeviceA-Ethernet1/3] port trunk permit vlan 2# 配置端口Ethernet1/3禁止通过默认VLAN。[DeviceA-Ethernet1/3] undo port trunk permit vlan 14.3.2 Device B的配置(1) 配置远程源镜像组# 创建远程源镜像组1。 system-view[DeviceB] mirroring-group 1 remote-source# 创建VLAN 3。[DeviceB] vlan 3[DeviceB-vlan2] quit# 为远程源镜像组配置远程镜像VLAN、源端口和反射口。[DeviceB] mirroring-group 1 remote-probe vlan 3[DeviceB] mirroring-group 1 mirroring-port ethernet 1/1 inbound[DeviceB] mirroring-group 1 reflector-port ethernet 1/2(2) 配置连接Device C的端口# 配置端口Ethernet1/3为Trunk端口。[DeviceB] interface ethernet 1/3[DeviceB-Ethernet1/3] port link-type trunk# 配置端口Ethernet1/3允许通过远程镜像VLAN。[DeviceB-Ethernet1/3] port trunk permit vlan 3# 配置端口Ethernet1/3禁止通过默认VLAN。[DeviceB-Ethernet1/3] undo port trunk permit vlan 14.3.3 Device C的配置(1) 创建Device A和Device B的远程镜像VLAN# 创建VLAN 2和VLAN 3。 system-view[DeviceC] vlan 2[DeviceC-vlan2] quit[DeviceC] vlan 3[DeviceC-vlan3] quit(2) 配置连接Device A的端口# 配置端口Ethernet1/1为Trunk端口。[DeviceC] interface ethernet 1/1[DeviceC-Ethernet1/1] port link-type trunk# 配置端口Ethernet1/1允许通过Device A的远程镜像VLAN。[DeviceC-Ethernet1/1] port trunk permit vlan 2# 配置端口Ethernet1/1禁止通过默认VLAN。[DeviceC-Ethernet1/1] undo port trunk permit vlan 1[DeviceC-Ethernet1/1] quit(3) 配置连接Device B的端口# 配置端口Ethernet1/2为Trunk端口。[DeviceC] interface ethernet 1/2[DeviceC-Ethernet1/2] port link-type trunk# 配置端口Ethernet1/2允许通过Device B的远程镜像VLAN。[DeviceC-Ethernet1/2] port trunk permit vlan 3# 配置端口Ethernet1/2禁止通过默认VLAN。[DeviceC-Ethernet1/2] undo port trunk permit vlan 1[DeviceC-Ethernet1/2] quit(4) 配置连接分析仪的端口# 配置端口Ethernet1/3为Trunk端口。[DeviceC] interface ethernet 1/3[DeviceC-Ethernet1/3] port link-type trunk# 配置端口Ethernet1/3允许通过Device A和Device B的远程镜像VLAN。[DeviceC-Ethernet1/3] port trunk permit vlan 2 to 3# 配置端口Ethernet1/3禁止通过默认VLAN。[DeviceC-Ethernet1/3] undo port trunk permit vlan 1 | 留言与评论(共有 0 条评论) “” |
