- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 关于我们
09-TAP典型配置举例
本章节下载: 09-TAP典型配置举例 (393.82 KB)
目 录
本文档介绍了TAP的配置举例。
TAP(Test Access Point,测试接入点,又称分路器)通过将流量重定向到监控组并发送给监控设备,实现用户上网行为分析、异常流量监测、网络应用监控等功能。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文假设您已了解TAP特性。
如图1所示,某公司网络有核心网、汇聚网、接入网以及办公区网络,现要求通过配置TAP实现:
· 整个网络的流量添加外层vlan tag后复制两份。
· 两份数据完全相同,一份进入ServerA进行分析、统计等,另一份进入ServerB作为备份。
图1 TAP实现流量监测与备份典型组网图
定义TAP策略,使其将所有报文流加上vlan tag为4094,入方向应用该策略的接口的流量均被复制到ServerA和ServerB。
本举例是在xxxx版本上进行配置和验证的。
# 创建监控组1,并配置监控组的成员接口为GigabitEthernet1/0/4和GigabitEthernet1/0/5。
<DeviceB> system-view
[DeviceB] monitoring-group 1
[DeviceB-monitoring-group-1] monitoring-port gigabitethernet 1/0/4 to gigabitethernet 1/0/5
[DeviceB-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[DeviceB] traffic classifier classifier_tap
[DeviceB-classifier-classifier_tap] if-match any
[DeviceB-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为添加外层vlan tag为4094且重定向到监控组1。
[DeviceB] traffic behavior behavior_tap
[DeviceB-behavior-behavior_tap] nest top-most vlan 4094
[DeviceB-behavior-behavior_tap] redirect monitoring-group 1
[DeviceB-behavior-behavior_tap] quit
# 定义TAP类型策略policy_tap,并为类classifier_tap指定流行为behavior_tap。
[DeviceB] qos tap policy policy_tap
[DeviceB-qospolicy-policy_tap] classifier classifier_tap behavior behavior_tap
[DeviceB-qospolicy-policy_tap] quit
# 将TAP类型策略policy_tap应用到接口GigabitEthernet1/0/1的入方向上。
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] qos apply tap policy policy_tap inbound
[DeviceB-GigabitEthernet1/0/1] quit
# 将TAP类型策略policy_tap应用到接口GigabitEthernet1/0/2的入方向上。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] qos apply tap policy policy_tap inbound
[DeviceB-GigabitEthernet1/0/2] quit
# 将TAP类型策略policy_tap应用到接口GigabitEthernet1/0/3的入方向上。
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] qos apply tap policy policy_tap inbound
[DeviceB-GigabitEthernet1/0/3] quit
# 执行display qos tap policy interface命令查看TAP策略信息。
[DeviceB] display qos tap policy interface
Interface: GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/2
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/3
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
#
monitoring-group 1
monitoring-port GigabitEthernet1/0/4
monitoring-port GigabitEthernet1/0/5
#
traffic classifier classifier_tap operator and
if-match any
#
traffic behavior behavior_tap
nest top-most vlan 4094
redirect monitoring-group 1
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/2
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/3
qos apply tap policy policy_tap inbound
#
如图2所示,某公司网络有核心网、汇聚网、接入网以及办公区网络,现要求通过配置TAP实现:
· 整个网络的流量添加外层vlan tag后复制两份。
· 两份数据完全相同,一份进入ServerA进行分析、统计等,另一份进入ServerB作为备份。
图2 TAP实现流量监测与备份典型组网图
定义TAP策略,使其将所有报文流加上vlan tag为4094,入方向应用该策略的接口的流量均被复制到ServerA和ServerB。
本举例是在xxxx版本上进行配置和验证的。
# 创建监控组1,并配置监控组的成员接口为Ten-GigabitEthernet1/0/4和Ten-GigabitEthernet1/0/5。
<DeviceB> system-view
[DeviceB] monitoring-group 1
[DeviceB-monitoring-group-1] monitoring-port ten-gigabitethernet 1/0/4 to ten-gigabitethernet 1/0/5
[DeviceB-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[DeviceB] traffic classifier classifier_tap
[DeviceB-classifier-classifier_tap] if-match any
[DeviceB-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为添加外层vlan tag为4094且重定向到监控组1。
[DeviceB] traffic behavior behavior_tap
[DeviceB-behavior-behavior_tap] nest top-most vlan 4094
[DeviceB-behavior-behavior_tap] redirect monitoring-group 1
[DeviceB-behavior-behavior_tap] quit
# 定义TAP类型策略policy_tap,并为类classifier_tap指定流行为behavior_tap。
[DeviceB] qos tap policy policy_tap
[DeviceB-qospolicy-policy_tap] classifier classifier_tap behavior behavior_tap
[DeviceB-qospolicy-policy_tap] quit
# 将TAP类型策略policy_tap应用到接口Ten-GigabitEthernet1/0/1的入方向上。
[DeviceB] interface ten-gigabitethernet 1/0/1
[DeviceB-Ten-GigabitEthernet1/0/1] qos apply tap policy policy_tap inbound
[DeviceB-Ten-GigabitEthernet1/0/1] quit
# 将TAP类型策略policy_tap应用到接口Ten-GigabitEthernet1/0/2的入方向上。
[DeviceB] interface ten-gigabitethernet 1/0/2
[DeviceB-Ten-GigabitEthernet1/0/2] qos apply tap policy policy_tap inbound
[DeviceB-Ten-GigabitEthernet1/0/2] quit
# 将TAP类型策略policy_tap应用到接口Ten-GigabitEthernet1/0/3的入方向上。
[DeviceB] interface ten-gigabitethernet 1/0/3
[DeviceB-Ten-GigabitEthernet1/0/3] qos apply tap policy policy_tap inbound
[DeviceB-Ten-GigabitEthernet1/0/3] quit
# 执行display qos tap policy interface命令查看TAP策略信息。
[DeviceB] display qos tap policy interface
Interface: Ten-GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
Interface: Ten-GigabitEthernet1/0/2
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
Interface: Ten-GigabitEthernet1/0/3
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
#
monitoring-group 1
monitoring-port Ten-GigabitEthernet1/0/4
monitoring-port Ten-GigabitEthernet1/0/5
#
traffic classifier classifier_tap operator and
if-match any
#
traffic behavior behavior_tap
nest top-most vlan 4094
redirect monitoring-group 1
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface Ten-GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface Ten-GigabitEthernet1/0/2
qos apply tap policy policy_tap inbound
#
interface Ten-GigabitEthernet1/0/3
qos apply tap policy policy_tap inbound
#
如图3所示,某公司网络有核心网、汇聚网、接入网以及办公区网络,现要求通过配置TAP实现:
· 两台主机(如HostB和HostC)相互之间的流量都发送到同一台Server进行分析、监测。
· 所有的流量均匀负载分到三台Server中进行分析、监测。
图3 TAP同源同宿组网图
· 由于办公区的用户Host B和Host C均连接到接入网Device A设备上,两者之间报文流的源、目的IP是相反的,流量被复制到达Device B后,聚合接口在进行聚合负载分担时,两种报文流会经不同成员链路发往不同的Server,所以需要通过配置全局采用的聚合负载分担HASH算法为1类型,保证两种报文流经同一条成员链路发往同一个Server;
· 在设备Device B的聚合负载分担类型按照报文的源、目的IP地址区分流。
本举例是在R2825版本上进行配置和验证的。
# 创建二层聚合组Bridge-Aggregation 1。
<DeviceB> system-view
[DeviceB] interface Bridge-Aggregation 1
[DeviceB-Bridge-Aggregation1] quit
# 将接口GigabitEthernet1/0/4、GigabitEthernet1/0/5和GigabitEthernet1/0/6加入聚合组Bridge-Aggregation 1中。
[DeviceB] interface gigabitethernet1/0/4
[DeviceB-GigabitEthernet1/0/4] port link-aggregation group 1
[DeviceB-GigabitEthernet1/0/4] quit
[DeviceB] interface gigabitethernet1/0/5
[DeviceB-GigabitEthernet1/0/5] port link-aggregation group 1
[DeviceB-GigabitEthernet1/0/5] quit
[DeviceB] interface gigabitethernet1/0/6
[DeviceB-GigabitEthernet1/0/6] port link-aggregation group 1
[DeviceB-GigabitEthernet1/0/6] quit
# 创建监控组1,并配置监控组的成员接口为Bridge-Aggregation 1。
[DeviceB] monitoring-group 1
[DeviceB-monitoring-group-1] monitoring-port bridge-aggregation 1
[DeviceB-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[DeviceB] traffic classifier classifier_tap
[DeviceB-classifier-classifier_tap] if-match any
[DeviceB-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为重定向到监控组1。
[DeviceB] traffic behavior behavior_tap
[DeviceB-behavior-behavior_tap] redirect monitoring-group 1
[DeviceB-behavior-behavior_tap] quit
# 定义TAP类型策略policy,并为类classifier_tap指定流行为behavior_tap。
[DeviceB] qos tap policy policy_tap
[DeviceB-qospolicy-policy_tap] classifier classifier_tap behavior behavior_tap
[DeviceB-qospolicy-policy_tap] quit
# 将TAP类型策略policy1应用到接口Gigabitethernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3的入方向上。
[DeviceB] interface gigabitethernet1/0/1
[DeviceB-Gigabitethernet1/0/1] qos apply tap policy policy_tap inbound
[DeviceB-Gigabitethernet1/0/1] quit
[DeviceB] interface gigabitethernet1/0/2
[DeviceB-Gigabitethernet1/0/2] qos apply tap policy policy_tap inbound
[DeviceB-Gigabitethernet1/0/2] quit
[DeviceB] interface gigabitethernet1/0/3
[DeviceB-Gigabitethernet1/0/3] qos apply tap policy policy_tap inbound
[DeviceB-Gigabitethernet1/0/3] quit
# 配置全局采用的聚合负载分担类型为按报文的源、目的IP地址进行聚合负载分担,分担算法为1类型。
[DeviceB] link-aggregation global load-sharing mode source-ip destination-ip
[DeviceB] link-aggregation global load-sharing algorithm 1
# 显示Device B的tap策略信息。
[DeviceB] display qos tap policy interface
Interface: GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/2
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/3
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
# 显示Device B的监控组信息。
[DeviceB] display monitoring-group all
Monitoring group 1:
Monitoring ports: Bridge-Aggregation1
# 显示Device B的负载分担模式。
[DeviceB] display link-aggregation load-sharing mode
Link-aggregation load-sharing algorithm:1
Link-aggregation load-sharing mode:
destination-ip address, source-ip address
#
link-aggregation global load-sharing mode destination-ip source-ip
link-aggregation global load-sharing algorithm 1
#
monitoring-group 1
monitoring-port Bridge-Aggregation1
#
traffic behavior behavior_tap
redirect monitoring-group 1
#
traffic classifier classifier_tap operator and
if-match any
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface Bridge-Aggregation1
#
interface GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/2
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/3
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/4
port link-aggregation group 1
#
interface GigabitEthernet1/0/5
port link-aggregation group 1
#
interface GigabitEthernet1/0/6
port link-aggregation group 1
如图4所示,某公司网络有核心网、汇聚网、接入网以及办公区网络,现要求通过配置TAP实现:
· 两台主机(如HostB和HostC)相互之间的流量都发送到同一台Server进行分析、监测。
· 所有的流量均匀负载分到三台Server中进行分析、监测。
图4 TAP同源同宿组网图
· 由于办公区的用户Host B和Host C均连接到接入网Device A设备上,两者之间报文流的源、目的IP是相反的,流量被复制到达Device B后,聚合接口在进行聚合负载分担时,两种报文流会经不同成员链路发往不同的Server,所以需要通过配置全局采用的聚合负载分担HASH算法为1类型,保证两种报文流经同一条成员链路发往同一个Server;
· 在设备Device B的聚合负载分担类型按照报文的源、目的IP地址区分流。
本举例是在R2825版本上进行配置和验证的。
# 创建二层聚合组Bridge-Aggregation 1。
<DeviceB> system-view
[DeviceB] interface Bridge-Aggregation 1
[DeviceB-Bridge-Aggregation1] quit
# 将接口Ten-GigabitEthernet1/0/4、Ten-GigabitEthernet1/0/5和Ten-GigabitEthernet1/0/6加入聚合组Bridge-Aggregation 1中。
[DeviceB] interface ten-gigabitethernet1/0/4
[DeviceB-Ten-GigabitEthernet1/0/4] port link-aggregation group 1
[DeviceB-Ten-GigabitEthernet1/0/4] quit
[DeviceB] interface ten-gigabitethernet1/0/5
[DeviceB-Ten-GigabitEthernet1/0/5] port link-aggregation group 1
[DeviceB-Ten-GigabitEthernet1/0/5] quit
[DeviceB] interface ten-gigabitethernet1/0/6
[DeviceB-Ten-GigabitEthernet1/0/6] port link-aggregation group 1
[DeviceB-Ten-GigabitEthernet1/0/6] quit
# 创建监控组1,并配置监控组的成员接口为Bridge-Aggregation 1。
[DeviceB] monitoring-group 1
[DeviceB-monitoring-group-1] monitoring-port bridge-aggregation 1
[DeviceB-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[DeviceB] traffic classifier classifier_tap
[DeviceB-classifier-classifier_tap] if-match any
[DeviceB-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为重定向到监控组1。
[DeviceB] traffic behavior behavior_tap
[DeviceB-behavior-behavior_tap] redirect monitoring-group 1
[DeviceB-behavior-behavior_tap] quit
# 定义TAP类型策略policy,并为类classifier_tap指定流行为behavior_tap。
[DeviceB] qos tap policy policy_tap
[DeviceB-qospolicy-policy_tap] classifier classifier_tap behavior behavior_tap
[DeviceB-qospolicy-policy_tap] quit
# 将TAP类型策略policy1应用到接口Ten-Gigabitethernet1/0/1、Ten-GigabitEthernet1/0/2和Ten-GigabitEthernet1/0/3的入方向上。
[DeviceB] interface ten-gigabitethernet1/0/1
[DeviceB-Ten-Gigabitethernet1/0/1] qos apply tap policy policy_tap inbound
[DeviceB-Ten-Gigabitethernet1/0/1] quit
[DeviceB] interface ten-gigabitethernet1/0/2
[DeviceB-Ten-Gigabitethernet1/0/2] qos apply tap policy policy_tap inbound
[DeviceB-Ten-Gigabitethernet1/0/2] quit
[DeviceB] interface ten-gigabitethernet1/0/3
[DeviceB-Ten-Gigabitethernet1/0/3] qos apply tap policy policy_tap inbound
[DeviceB-Ten-Gigabitethernet1/0/3] quit
# 配置全局采用的聚合负载分担类型为按报文的源、目的IP地址进行聚合负载分担,分担算法为1类型。
[DeviceB] link-aggregation global load-sharing mode source-ip destination-ip
[DeviceB] link-aggregation global load-sharing algorithm 1
# 显示Device B的tap策略信息。
[DeviceB] display qos tap policy interface
Interface: Ten-GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
Interface: Ten-GigabitEthernet1/0/2
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
Interface: Ten-GigabitEthernet1/0/3
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
# 显示Device B的监控组信息。
[DeviceB] display monitoring-group all
Monitoring group 1:
Monitoring ports: Bridge-Aggregation1
# 显示Device B的负载分担模式。
[DeviceB] display link-aggregation load-sharing mode
Link-aggregation load-sharing algorithm:1
Link-aggregation load-sharing mode:
destination-ip address, source-ip address
link-aggregation global load-sharing mode destination-ip source-ip
link-aggregation global load-sharing algorithm 1
#
monitoring-group 1
monitoring-port Bridge-Aggregation1
#
traffic behavior behavior_tap
redirect monitoring-group 1
#
traffic classifier classifier_tap operator and
if-match any
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface Bridge-Aggregation1
#
interface Ten-GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface Ten-GigabitEthernet1/0/2
qos apply tap policy policy_tap inbound
#
interface Ten-GigabitEthernet1/0/3
qos apply tap policy policy_tap inbound
#
interface Ten-GigabitEthernet1/0/4
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/0/5
port link-aggregation group 1
#
interface Ten-GigabitEthernet1/0/6
port link-aggregation group 1
#
如图5所示,生产网络中的Device A、Device B和Device C将需监控的流量分别镜像至TAP的GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3接口。TAP的GigabitEthernet1/0/4和GigabitEthernet1/0/5接口通过VLAN网络分别与数据分析服务器和数据备份服务器相连。通过配置TAP实现:
· 对GigabitEthernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3接口收到的流量汇总,然后复制成两份,即3:2复制。其中一份由GigabitEthernet1/0/4发送给数据分析服务器进行实时监控与分析,另一份由GigabitEthernet1/0/5发送给数据备份服务器作为备份。
· 对流量进行NEST(即添加指定的VLAN tag),以保证流量能正常穿越VLAN网络,到达对应服务器。
图5 M:N&NEST配置组网图
本举例是在R2825版本上进行配置和验证的。
# 创建监控组1,并配置监控组的成员接口为GigabitEthernet1/0/4和GigabitEthernet1/0/5。
<TAP> system-view
[TAP] monitoring-group 1
[TAP-monitoring-group-1] monitoring-port gigabitethernet 1/0/4 to gigabitethernet 1/0/5
[TAP-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[TAP] traffic classifier classifier_tap
[TAP-classifier-classifier_tap] if-match any
[TAP-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为:添加外层VLAN tag 200,并重定向到监控组1。
[TAP] traffic behavior behavior_tap
[TAP-behavior-behavior_tap] nest top-most vlan 200
[TAP-behavior-behavior_tap] redirect monitoring-group 1
[TAP-behavior-behavior_tap] quit
# 定义TAP策略policy_tap,并为类classifier_tap指定流行为behavior_tap。
[TAP] qos tap policy policy_tap
[TAP-qospolicy-policy_tap] classifier classifier_tap behavior behavior_tap
[TAP-qospolicy-policy_tap] quit
# 将TAP策略policy_tap应用到接口GigabitEthernet1/0/1的入方向上。
[TAP] interface gigabitethernet 1/0/1
[TAP-GigabitEthernet1/0/1] qos apply tap policy policy_tap inbound
[TAP-GigabitEthernet1/0/1] quit
# 将TAP策略policy_tap应用到接口GigabitEthernet1/0/2的入方向上。
[TAP] interface gigabitethernet 1/0/2
[TAP-GigabitEthernet1/0/2] qos apply tap policy policy_tap inbound
[TAP-GigabitEthernet1/0/2] quit
# 将TAP策略policy_tap应用到接口GigabitEthernet1/0/3的入方向上。
[TAP] interface gigabitethernet 1/0/3
[TAP-GigabitEthernet1/0/3] qos apply tap policy policy_tap inbound
[TAP-GigabitEthernet1/0/3] quit
# 执行display qos tap policy interface命令查看TAP策略的配置信息和运行情况。
[TAP] display qos tap policy interface
Interface: GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 200
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/2
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 200
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/3
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 200
Redirecting:
Redirect to the monitoring group: 1
#
monitoring-group 1
monitoring-port GigabitEthernet1/0/4
monitoring-port GigabitEthernet1/0/5
#
traffic classifier classifier_tap operator and
if-match any
#
traffic behavior behavior_tap
nest top-most vlan 200
redirect monitoring-group 1
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/2
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/3
qos apply tap policy policy_tap inbound
#
如图6所示,Host与Server互访流量由两部分组成:Host至Server方向的流量和Server至Host方向的流量。两种流量属同一会话,且源、目的IP互为相反,我们称其为同源同宿流量。Device将Host与Server之间的同源同宿流量同时镜像至TAP的GigabitEthernet1/0/1。TAP的GigabitEthernet1/0/2和GigabitEthernet1/0/3分别与数据分析服务器1和数据分析服务器2相连,且GigabitEthernet1/0/2和GigabitEthernet1/0/3属于二层链路聚合组1。通过配置TAP、聚合组负载分担类型和算法实现:
· 将GigabitEthernet1/0/1收到的流量转发至二层链路聚合组1。
· 同源同宿流量经聚合组中的同一成员接口发送,以保证同一会话的流量发往同一台数据分析服务器。
本举例是在R2825版本上进行配置和验证的。
# 创建二层聚合组Bridge-Aggregation 1。
<TAP> system-view
[TAP] interface Bridge-Aggregation 1
[TAP-Bridge-Aggregation1] quit
# 将接口GigabitEthernet1/0/2和GigabitEthernet1/0/3加入聚合组Bridge-Aggregation 1中。
[TAP] interface gigabitethernet1/0/2
[TAP-GigabitEthernet1/0/2] port link-aggregation group 1
[TAP-GigabitEthernet1/0/2] quit
[TAP] interface gigabitethernet1/0/3
[TAP-GigabitEthernet1/0/3] port link-aggregation group 1
[TAP-GigabitEthernet1/0/3] quit
# 创建监控组1,并配置监控组的成员接口为Bridge-Aggregation 1。
[TAP] monitoring-group 1
[TAP-monitoring-group-1] monitoring-port bridge-aggregation 1
[TAP-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[TAP] traffic classifier classifier_tap
[TAP-classifier-classifier_tap] if-match any
[TAP-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为重定向到监控组1。
[TAP] traffic behavior behavior_tap
[TAP-behavior-behavior1] redirect monitoring-group 1
[TAP-behavior-behavior1] quit
# 定义TAP策略policy_tap,并为类classifier_tap指定流行为behavior_tap。
[TAP] qos tap policy policy_tap
[TAP-qospolicy-policy_tap] classifier classifier behavior behavior
[TAP-qospolicy-policy_tap] quit
# 将TAP策略policy_tap应用到接口Gigabitethernet1/0/1的入方向上。
[TAP] interface gigabitethernet1/0/1
[TAP-Gigabitethernet1/0/1] qos apply tap policy policy_tap inbound
[TAP-Gigabitethernet1/0/1] quit
# 配置全局采用的聚合负载分担类型为按报文的源、目的IP地址进行聚合负载分担,分担算法为1类型。
[TAP] link-aggregation global load-sharing mode source-ip destination-ip
[TAP] link-aggregation global load-sharing algorithm 1
# 执行display qos tap policy interface命令查看TAP策略的配置信息和运行情况。
[TAP] display qos tap policy interface
Interface: GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
# 执行display monitoring-group命令查看监控组的配置信息。
[TAP] display monitoring-group all
Monitoring group 1:
Monitoring ports: Bridge-Aggregation1
# 执行display link-aggregation load-sharing mode命令查看全局或聚合组内采用的聚合负载分担类型。
[TAP] display link-aggregation load-sharing mode
Link-aggregation load-sharing algorithm:1
Link-aggregation load-sharing mode:
destination-ip address
source-ip address
#
link-aggregation global load-sharing mode destination-ip source-ip
link-aggregation global load-sharing algorithm 1
#
monitoring-group 1
monitoring-port Bridge-Aggregation1
#
traffic behavior behavior_tap
redirect monitoring-group 1
#
traffic classifier classifier_tap operator and
if-match any
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface Bridge-Aggregation1
#
interface GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/2
port link-aggregation group 1
#
interface GigabitEthernet1/0/3
port link-aggregation group 1
#
· H3C S12500X-AF系列交换机 TAP指导- R28xx
· H3C S12500X-AF系列交换机 TAP命令参考- R28xx
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
