CCNP-第十六篇-VXLAN(二)+端口镜像
这一篇主要搞vxlan的实操演示
VXLAN演示
正常的ensp里面应该是没这个镜像的
要用到这个CE12800
我这有,可以提供给大家使用
链接:https://pan.baidu.com/s/1nqGo8a7mmWpthu-CuBC80Q?pwd=cjnb
提取码:cjnb
这玩意要手动导入到ENSP里面去
我32g的电脑,开机都等了几分钟,但是不会太影响使用,就是开机慢
那么其中分别担任的角色是
LSW分别代表V-switch(如果在真实环境中,都是虚拟化,你看不见的,只能看见的是一台物理服务器里面的虚拟化的设备)
CE分别代表NVE
PC分别代表下属服务器
中间的无所谓了,反正他就是三层互通的其中一个设备
那么其中
这三个地方,就代表着一个underlay的环境
什么意思呢?纯底层,他们三能互通就ok了左右设备VNI各为1000
左边设备BD为1000
右边设备BD为2000
最后需求为左右设备能互通
左边PC的IP100.1.1.2
右边PC的IP100.1.1.1
网关都为100.1.1.254
不要看图片的VLAN,左边的PC对应VLAN为100,右边为200
最上面的左边VLAN为10,右边为20
至于最上面的underlay就没什么关系了,随便写
顺带讲一下
在华为的CE级设备中
进入了sys之后,他这会多了一个波浪号
意思是做的所有配置不生效
为什么呢,怕你做的有问题,得commit後提交,才能生效
CE:企业边界设备,也可用于数据中心边界
当然也有解决办法
这样的意思是立刻进入生效视图,做什么命令就跟平时的一样了
直接打子接口他会告诉你不生效的
下联那个接口做子接口,是用来给VLAN去标签的
然后只能启2层的子接口,因为上面已经配置了IP是三层的了
给底层去标签
首先提前做好VXLAN和BD
然后在子接口上去除标记
请注意,连接vswitch的接口不需要任何配置,打开接口即可!VLAN对应的是Vswitch的VLAN
在这个点,有多少VLAN,就有多少子接口,这个工程也是够大的
子接口的作用仅仅是给下面的VLAN解封装
建隧道,tunnel(VPET)
各自的工作都做好了,那就差建隧道了,那不就来了嘛
这个过程很像写tunnel,但是,不需要写目的地
对端:
当做完配置后,直接通了
这就是VXLAN的效果
既然我们说的大二层,二层,那来看看arp不就知道了嘛,没问题
各设备配置如下
对应此图片
[CE1]dis current-configuration
!Software Version V800R013C00SPC560B560
!Last configuration was updated at 2022-02-21 00:25:00+00:00
!Last configuration was saved at 2022-02-20 23:59:09+00:00
#
sysname CE1
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
vlan batch 10
#
bridge-domain 1000vxlan vni 1000
#
vni 1000
#
aaa#authentication-scheme default#authorization-scheme default#accounting-scheme default#domain default#domain default_admin
#
interface Vlanif10ip address 10.1.1.1 255.255.255.0
#
interface MEth0/0/0undo shutdown
#
interface GE1/0/0undo shutdown
#
interface GE1/0/0.10 mode l2encapsulation dot1q vid 100bridge-domain 1000
#
interface GE1/0/1undo shutdownport default vlan 10
#
interface GE1/0/2undo shutdown
#
interface GE1/0/3shutdown
#
interface GE1/0/4shutdown
#
interface GE1/0/5shutdown
#
interface GE1/0/6shutdown
#
interface GE1/0/7shutdown
#
interface GE1/0/8shutdown
#
interface GE1/0/9shutdown
#
interface LoopBack0ip address 1.1.1.1 255.255.255.0
#
interface Nve1source 1.1.1.1vni 1000 head-end peer-list 3.3.3.3
#
interface NULL0
#
ospf 1 router-id 1.1.1.1area 0.0.0.0network 1.1.1.0 0.0.0.255network 10.1.1.0 0.0.0.255
#
ssh authorization-type default aaa
#
user-interface con 0
#
port-group lin
#
vm-manager
#
return[CE1]dis ip int br
*down: administratively down
!down: FIB overload down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol VPN
LoopBack0 1.1.1.1/24 up up(s) --
MEth0/0/0 unassigned up down --
NULL0 unassigned up up(s) --
Vlanif10 10.1.1.1/24 up up --
[CE1]dis ip rout
[CE1]dis ip routing-table
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black holeroute
------------------------------------------------------------------------------
Routing Table : _public_Destinations : 12 Routes : 12 Destination/Mask Proto Pre Cost Flags NextHop Interface1.1.1.0/24 Direct 0 0 D 1.1.1.1 LoopBack01.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack01.1.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack03.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif1010.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif1010.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif1010.1.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif1020.1.1.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1]
[CE1]
[CE1]
[CE1]
[CE1]
[CE1]
[CE2]dis current-configuration
!Software Version V800R013C00SPC560B560
!Last configuration was updated at 2022-02-21 00:42:44+00:00
!Last configuration was saved at 2022-02-20 23:58:52+00:00
#
sysname CE2
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
vlan batch 20
#
bridge-domain 2000vxlan vni 1000
#
vni 1000
#
aaa#authentication-scheme default#authorization-scheme default#accounting-scheme default#domain default#domain default_admin
#
interface Vlanif20ip address 20.1.1.1 255.255.255.0
#
interface MEth0/0/0undo shutdown
#
interface GE1/0/0undo shutdownport default vlan 20
#
interface GE1/0/1undo shutdown
#
interface GE1/0/1.1 mode l2encapsulation dot1q vid 200bridge-domain 2000
#
interface GE1/0/2undo shutdown
#
interface GE1/0/3shutdown
#
interface GE1/0/4shutdown
#
interface GE1/0/5shutdown
#
interface GE1/0/6shutdown
#
interface GE1/0/7shutdown
#
interface GE1/0/8shutdown
#
interface GE1/0/9shutdown
#
interface LoopBack0ip address 3.3.3.3 255.255.255.0
#
interface Nve1source 3.3.3.3vni 1000 head-end peer-list 1.1.1.1
#
interface NULL0
#
ospf 1 router-id 3.3.3.3area 0.0.0.0network 3.3.3.0 0.0.0.255network 20.1.1.0 0.0.0.255
#
ssh authorization-type default aaa
#
user-interface con 0
#
vm-manager
#
return
[CE2]
[CE2]
[CE2]dis ip int br
[CE2]dis ip int brief
*down: administratively down
!down: FIB overload down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol VPN
LoopBack0 3.3.3.3/24 up up(s) --
MEth0/0/0 unassigned up down --
NULL0 unassigned up up(s) --
Vlanif20 20.1.1.1/24 up up --
[CE2]
[CE2]
[CE2]dis ip rougt
[CE2]dis ip rou
[CE2]dis ip routing-table
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black holeroute
------------------------------------------------------------------------------
Routing Table : _public_Destinations : 12 Routes : 12 Destination/Mask Proto Pre Cost Flags NextHop Interface1.1.1.1/32 OSPF 10 2 D 20.1.1.2 Vlanif203.3.3.0/24 Direct 0 0 D 3.3.3.3 LoopBack03.3.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack03.3.3.255/32 Direct 0 0 D 127.0.0.1 LoopBack010.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif2020.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif2020.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif2020.1.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif20127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE2]
[ZHONGXIN]dis ip int br
[ZHONGXIN]dis ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 2Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned down down
Vlanif10 10.1.1.2/24 up up
Vlanif20 20.1.1.2/24 up up
[ZHONGXIN]dis ip rout
[ZHONGXIN]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: PublicDestinations : 8 Routes : 8 Destination/Mask Proto Pre Cost Flags NextHop Interface1.1.1.1/32 OSPF 10 1 D 10.1.1.1 Vlanif103.3.3.3/32 OSPF 10 1 D 20.1.1.1 Vlanif2010.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif1010.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif1020.1.1.0/24 Direct 0 0 D 20.1.1.2 Vlanif2020.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0[ZHONGXIN]
[ZHONGXIN]dis cu
[ZHONGXIN]dis current-configuration
#
sysname ZHONGXIN
#
vlan batch 10 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaaauthentication-scheme defaultauthorization-scheme defaultaccounting-scheme defaultdomain defaultdomain default_adminlocal-user admin password simple adminlocal-user admin service-type http
#Feb 21 2022 00:48:22-08:00 ZHONGXIN DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011
.5.25.191.3.1 configurations have been changed. The current change number is 1,
the change loop count is 0, and the maximum number of records is 4095.interface
Vlanif1
#
interface Vlanif10ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20ip address 20.1.1.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1port link-type accessport default vlan 10
#
interface GigabitEthernet0/0/2port link-type accessport default vlan 20
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 1area 0.0.0.0network 10.1.1.0 0.0.0.255network 20.1.1.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
#
return
[ZHONGXIN]
剩下的不贴上来了,左边为VLAN100右边为VLAN200
然后上行口是Trunk放行全部
PC就对应左右各一个同网段IP就没了
在CE设备上是可以看到两个PC的MAC地址的
这个就是VXLAN的演示效果
SPAN-端口镜像(官网叫分析器)
SPAN,全称为Switched Port Analyzer,交换机端口分析器
这个是用于本地的抓包.也是最常用的
RSPAN呢,适用于远程的
这个R是什么呢,代表的是Remote,远程(适用于二层环境)
承载在VLAN下的
ERSPAN
Encapsulation Remote SPAN,他是可以基于三层环境的
暂时只能针对思科6500系列以上或者N7K,N9K
但是,镜像是非常消耗设备内存的,搞不好会搞的低性能的设备宕机
操作方法
思科
这个比较常用,特别在安全领域
所以思科和华为都演示一下
创造一个镜像组
首先,这个设备性能较低,只能启两个镜像组
一般的设备是4个,根据设备性能厂家来设定
然后目前本人见过最多的是支持8个镜像组.
这里仅仅是一个组,Group
rx是上行,tx是下行,默认下我们会打上both,意思是上下行都抓
如果不写他会默认有的
手动指定源和目的,就完事了.
此时来验证一下(环境不用管,都是对应好的)
telent
wireshare
通过抓包可以看见,已经看到了telnet的数据包通过
科普一下抓包
第一个Frame呢,就是数据格式后面的,字节,来自interface0接口
第二个呢,二层协议,源MAC,目的MAC
第三个,三层,IPV4,源地址10.1.1.2.目的地10.1.1.1
第四个呢,四层,TCP看到了不,来自源端口23,目的端口,长度,ACK
但是最主要,还是看下面这个保温,里面的内容,里面会有data数据
密码是huawei,这里面就是其中一个
抓包什么都能看到,会看就行,这也有一个不好的地方,telnet是明文的.
现在的基本上都是密文,抓到也没用
RSPAN配置仅做展示,不做演示
其实这个很麻烦,因为这个会要求每一台设备都有相同的remote-vlan,先不说浪不浪费,就挺麻烦的.
ERSPAN,这个也无法演示
这个要求的硬件性能很高,我这没有这个的ISO,所以只能给出配置了,一般也用不到,一般这些高端设备都是用在数据中心,IDC的
注:这个只是配置模板,实际请自己修改.建立与互通的前提下
附带一句,这里的技术有人会觉得归属NA,会有人觉得归属NP,也会有人觉得归属IE,我这个只是自我感觉的定义哈
华为配置端口镜像
observe-port 1 interface GigabitEthernet0/0/1 //配置G0/0/1口为输出,接的是电脑或监控设备
#
interface Vlanif1
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
#
interface GigabitEthernet0/0/2port-mirroring to observe-port 1 inbound //上行口流量port-mirroring to observe-port 1 outbound //下行口流量 这里配置的时候可以打both,但是他显示是这样显示的
#
华为配置远程镜像
发送源
<SW2>dis current-configuration
#
sysname SW2
#
observe-port 1 interface GigabitEthernet0/0/3 vlan 10 //配置远程观察端口所属VLAN10,这个VLAN就是思科里面的那个Remote-VLAN,每个经过的交换机都需要
#
interface GigabitEthernet0/0/1port-mirroring to observe-port 1 inboundport-mirroring to observe-port 1 outbound
#
interface GigabitEthernet0/0/2port-mirroring to observe-port 1 inboundport-mirroring to observe-port 1 outbound
#
interface GigabitEthernet0/0/3port link-type trunkport trunk allow-pass vlan 10(这里可以写10,也可以写ALL,3口是互联的交换机的接口)
#
接受方
<SW3>display current-configuration
#
sysname SW3
#
vlan batch 10
#
interface GigabitEthernet0/0/1 (这个接口是连接交换机连接交换机的接口)port link-type trunkport trunk allow-pass vlan 10
#
interface GigabitEthernet0/0/2 (这个接口是接收镜像口)port link-type accessport default vlan 10