端口鏡像
概念:把交換同個或多個端口(vlan)的鏡像到一個或多個端口的方法。
需求:通常為了部署IDS産品需要監聽網絡流量,但是在目前廣泛采用的交換網絡中監聽所有流量有相當大的困難,是以通過配置交換機來把一個或多個端口(vlan)的資料轉發到某一個端口來實作對網絡的監聽。
端口鏡像通常有以下幾種别名:
Port Mirroring 通常指允許把一個端口的流量複制到另外一個端口,同時這個端口不能再傳輸資料
Monitoring port 監控端口
Spanning Port 通常指允許把所有端口的流量複制到另外一個端口,同時這個端口不能再傳輸資料
SPAN port 在cisco産品 中,SPAN通常指switch port analyzer 某些交換機的span端口不支援傳輸資料
支援端口鏡像的交換機
大多數中檔以上的交換機都支援端口鏡像功能,但支援的程式不同
端口鏡像配置方法:
http://www.securitywizardry.com/switch.htm
port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port.
Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port.
In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use IDS TCP countermeasures such as resets.
Extreme Switches Newer
Submitted By Kevin Farnes
Information Updated: 16 Aug 2004
{enable | disable} mirroring on port Port No
configure mirroring { add | delete } { vlan VLAN | port Port No }
The first line basically turns on or off the mirroring and what port the mirrored output should be sent to. The second line specifies what is
to be mirrored. The second line can be repeated any number of times. There are some limitations on capability however, such as if
you are mirroring a port then it must be on the same blade as the port being mirrored to.
Extreme Switches Older eg 48 ExtremeWare Version 4.1
Submitted By Joel Snyder
In the older Summit Extremes (like the 48, not the 48i), you are blocked at v4 of their software
enable mirror to port <port-no> (both enables mirroring, and says where to send it. Notice that you cannot provide a list of ports, unfortunately)
disable mirror (disables mirroring)
config mirror add port <portno> (adds port <portno>, all VLANs that this port participates in)
config mirror add port <portno> vlan <vlan name or #> (adds port <portno>, but only VLAN <vlan> traffic will be mirrored)
config mirror add vlan <vlan name or #> (adds all ports that have this VLAN)
You can add more than one port by repeating the above lines.
config mirror del port <portno>
config mirror del vlan <vlan> (does the obvious thing)
show mirror (shows status of mirroring, including whether the port is up or not (!))
One thing to be careful of in the Extreme is that with mirroring (at least in this version of the O/S), you get both IN and OUT mirroring,
which means that if you pick a VLAN as the mirror object, you may see the same frame a couple of times if it goes in one port on the VLAN and out a different one.
Cisco Catalyst SPAN Support
Submitted By Mark McDonagh
Switch SPAN Sessions TCP Countermeasures
2900/3500XL No Limit No
2950 1 Yes
3550 2 Yes
3750 2 Yes
4000 w CatOS 5 Yes
4500 w Native IOS 6 (both considered 2) No
6000 w CatOS 2 Rx or Both, 4 Tx Yes
6000 w Native IOS 2 No
Cisco Catalyst 2900/3500XL
Information Updated: 17 Aug 2004
c3550(config)#monitor session 1 source ?
interface SPAN source interface
remote SPAN source Remote
vlan SPAN source VLAN
c3550(config)#monitor session 1 source interface fa0/1 - 3 rx
c3550(config)#monitor session 1 destination interface fa0/24
Only an Rx SPAN session can have multiple source ports. Note the spaces in syntax when specifying multiple interfaces. Can be “–” or “,”
With Source VLAN's
c3550(config)#monitor session 1 source vlan 1 - 10 rx
TCP Resets
c3550(config)#monitor session 1 destination interface fa0/24 ingress vlan 1
The Catalyst 2950/3550 will allow you to configure a single VLAN to receive untagged TCP Reset packets. TCP Reset support is configured through the “ingress vlan” keywords. Only one VLAN is permitted. In this example, non-802.1q-tagged TCP Resets to servers or attackers existing on or through VLAN 1 would be allowed, but not if the attack or target was on VLAN 2-10. If the RST is a response to an attack detected by IDS 4.x where the 802.1q tag has been maintained, the RST will be sent on the appropriate VLAN.
If you are monitoring a VLAN trunk port, you may wish to filter one or more of the VLANs on that trunk. This example only monitors VLANs 5 and 100-200 on the trunk.
c3550(config)#monitor session 1 source interface gigabit0/1
c3550(config)#monitor session 1 filter vlan 5 , 100 - 200
If the monitor session destination port is a trunk, you should also use keyword ‘encapsulation dot1q’. If you do not, packets will be sent on the interface in native format.
Cisco Catalyst 2950 3550 3750
int fa0/24
port monitor fa0/1
port monitor fa0/2
port monitor fa0/3
^Z
show port monitor
Monitor Port Port Being Monitored
--------------------- ---------------------
FastEthernet0/24 FastEthernet0/1
FastEthernet0/24 FastEthernet0/2
FastEthernet0/24 FastEthernet0/3
Monitored ports must be on same VLAN
Cannot modify monitored ports
“port monitor vlan” is only valid for VLAN 1, and will only monitor management traffic destined to the IP address configured as VLAN 1 on the switch “port monitor”, by itself, will configure the port to monitor all ports on the switch that belong to the vlan that port is assigned to.
Cisco Catalyst 4000 6000 with CatOS Switches
On Cat6k:
set span {src_mod/src_ports| src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [filter vlans...] [create]
On Cat4k:
set span {src_mod/src_ports | src_vlan} dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create]
Use the ‘create’ keyword with different destination ports to create multiple SPAN sessions.
If the ‘create’ keyword is not used, and a span session exists with the same destination port, the existing session will be replaced. If the destination port is different, then a new session will be created.
With source 2/1 and destination 3/5
c6500 (enable) set span 2/1 3/5
Cisco Catalyst 4000 6000 with IOS Switches
Syntax for Cat4k:
Cat4k(config)# [no] monitor session {session_number} {source {interface type/num} | {vlan vlan_ID}} [, | - | rx | tx | both]
Cat4k(config)# [no] monitor session {session_number} {destination {interface type/num} }
Syntax for Cat6k:
Cat6k(config)# monitor session session_number source {{single_interface | interface_list | interface_range | mixed_interface_list | single_vlan | vlan_list | vlan_range | mixed_vlan_list} [rx | tx | both]} | {remote vlan rspan_vlan_ID}}
Cat6k(config)# monitor session session_number destination {single_interface | interface_list | interface_range | mixed_interface_list} | {remote vlan rspan_vlan_ID}}
Cisco Catalyst 2950 Switches
( From Configuration Mode )
monitor session 1 source interface Interface
monitor session 1 destination interface Interface
The first line determines which ports are being monitored in the session and can be repeated. The second line determines where the
monitor output is to be sent. On the 2950 only ports can be monitored. With Cisco the monitoring capability and commands can vary significantly with different models of switch.
Cisco 3500XL Switches
Submitted By Chris McCulloh
Connect via a command line, then enter enable mode (type 'en').. then execute the following commands, assuming the sniffer is plugged into port 14 on the switch, and all other ports in a 24 port switch are desired except 23:
configure terminal
interface f14
port monitor f1-13, f15-22,f24
end
The box should then see all traffic.
Cisco Catalyst 5000 Switches
Submitted By Dave Rodrigue
set span 2-3 5/7 create
where 2-3 are the VLANs I'm monitoring.
Switch ports can be specified as well
set span 2/3 5/7 create to monitor port 2/3
~From Cisco's docs, in case that makes it clearer:
set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [create]
Foundry Switches
interface Interface
port monitor interface { rx | tx | both}
The first line takes you into the interface that the mirror output should be presented on. The second line defines those interfaces you wish to have mirrored and whether just the input, output or both are copied.
Juniper M or T Series
Submitted By Donald Smith
Information Updated: 20 Aug 2004
Port Mirroring
Define the destination where copies of sampled packets will be sent:
[edit]
user@router# show forwarding-options
port-mirroring { input {family inet; rate <sample-rate>; run-length
<run-length>;} output {interface <interface-name> {next-hop<address>;}
no-filter-check;} }
2. Define a sampling filter to identify "interesting" traffic:
user@router# show firewall filter mirror-sample
from {...} then {sample; accept;}
3. Apply the filter to the incoming interface
user@router# show interface <interface-name> unit 0 family inet
filter {input mirror-sample;}
Notes:
1. Packets that pass the input filter are sampled based on the <sample-rate> and <run-length>. In each batch of <sample-rate> packets, the first <run-length> packets are mirrored.
2. The mirror interface should not participate in any routing. The sampled packets are not in any way encapsulated, so the raw packets are sent out the interface. Hopefully, the device on the far end is a traffic analyzer and not another router!
3. The <address> needs to be specified when the mirror interface is a multi-access media, and is used to fil in the MAC address.
4. Works only for IPv4 packets, and only for transit traffic.
5. You can only set up one mirror interface per router; all "sampled" traffic is mirrored.
特點:●Cisco 2900 和 Cisco 3500XL 系列交換機
Cisco 2950、Cisco 3550 和 Cisco 3750 系列交換機
Cisco catylist 2550 Cisco catylist 3550 支援2組monitor session en password config term
Switch(config)#monitor session 1 destination interface fast0/4(1為session id,id範圍為1-2)
Switch(config)#monitor session 1 source interface fast0/1 , fast0/2 , fast0/3 (空格,逗号,空格)
Switch(config)#exit
Switch#copy running-conf startup-conf
Switch#show port-monitor
Cisco 5000 系列交換機
使用 CatOS 的 Cisco 4000 和 Cisco 6000 系列交換機
使用 IOS 的 Cisco 4000 和 Cisco 6000 系列交換機
Extreme 交換機
特點:
●隻能建立多對一或者一對一的鏡像端口
●可以監聽 VLAN 的流量
●Extreme 會鏡像 IN 和 OUT 的流量。這就意味着在鏡像 VLAN 的時候,會看到一個封包至少兩次— —從 VLAN 的某個端口出來,并且進入 VLAN 的另一個端口。
版本高于4.1的 Extreme 交換機端口鏡像配置方法
{enable | disable} mirroring on port
開啟/關閉端口鏡像功能,并且指定鏡像流量從何端口流出,port-no 隻能是一個端口
configure mirroring { add | delete } { vlan | port }
指定鏡像哪個或哪些 VLAN 或端口的流量 { vlan | port } 部分可以重複多次
版本低于 4.1 的 Extreme 交換機端口鏡像配置方法
enable mirror to port port-no
開啟端口鏡像功能,并且指定鏡像流量從何端口流出,port-no 隻能是一個端口
disable mirror
關閉端口鏡像功能
config mirror add port 鏡像端口 port-no 的流量,如果這個端口包含多個 VLAN 這些流量都會被鏡像到目的端口
config mirror add port vlan
鏡像端口 port-no 中指定 VLAN 的流量
config mirror add vlan
鏡像端口中指定 VLAN 的所有端口的流量
config mirror del port
取消對 port-no 的端口鏡像
config mirror del vlan
取消對指定 VLAN 的端口鏡像
show mirror
顯示端口鏡像情況
Foundry 交換機 特點:
●可以建立多對多的端口鏡像
Foundry 交換機端口鏡像配置方法
在配置模式中(Configuration Mode):
interface
port monitor { { rx | tx | both}}
确定鏡像流量從哪個端口流出,修改此端口配置
指定要鏡像哪些端口的哪些流量(rx 指接收的流量,tx 指發送的流量,both 指雙向流量),{ { rx | tx | both}} 部分可以重複
Juniper 交換機
特點:
●每交換機隻能有一個監聽端口
●隻能鏡像 IPv4 的流量
●隻能鏡像發送(transit only)的流量,不能鏡像接收的流量
Juniper M 系列和 T 系列端口鏡像配置方法
[url=mailto:usen@router]usen@router[/url]# show forwarding-options port- mirroring { input {family inet; rate ; run- length ;} output interface {next-hop
;} no-filter-check;} }
選擇将抽樣的流量發送到哪個目的端口
[url=mailto:user@router]user@router[/url]# show firewall filter mirror-sample from {...} then {sample; accept;}
定義抽樣過濾器,選擇感興趣的流量
[url=mailto:user@router]user@router[/url]# show interface unit 0 family inet filter {input mirror-sample;}
選擇将抽樣的過濾器應用到某個端口
端口鏡像的風險
加重交換機負載,造成裝置不穩定
在某些情況下會丢包,不能保證 100% 鏡像流量。例如,由于多個源端口鏡像到一個目的端口,目的端口無法處理造成丢包 [/i
本文轉自孤舟夜航之家部落格51CTO部落格,原文連結http://blog.51cto.com/cysky/741492如需轉載請自行聯系原作者
cysky
![iOS APP送出上架最新流程[圖]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)