精华内容
下载资源
问答
  • 端口镜像 概念:把交换同个或多个端口(vlan)的镜像到一个或多个端口的方法。 需求:通常为了部署IDS产品需要监听网络流量,但是在目前广泛采用的交换网络中监听所有流量有相当大的困难,因此通过配置交换机来把一...

    端口镜像

     概念:把交换同个或多个端口(vlan)的镜像到一个或多个端口的方法。
    需求:通常为了部署IDS产品需要监听网络流量,但是在目前广泛采用的交换网络中监听所有流量有相当大的困难,因此通过配置交换机来把一个或多个端口(vlan)的数据转发到某一个端口来实现对网络的监听。
    端口镜像通常有以下几种别名:
     Port Mirroring 通常指允许把一个端口的流量复制到另外一个端口,同时这个端口不能再传输数据
     Monitoring port 监控端口
     Spanning Port 通常指允许把所有端口的流量复制到另外一个端口,同时这个端口不能再传输数据
     SPAN port 在cisco产品 中,SPAN通常指switch   port analyzer 某些交换机的span端口不支持传输数据
     
    支持端口镜像的交换机
      大多数中档以上的交换机都支持端口镜像功能,但支持的程序不同
     
    端口镜像配置方法:
      http://www.securitywizardry.com/switch.htm
     
    port Mirroring generally indicates the ability to copy the traffic from a single port to a mirror port but disallows any type of bidirectional traffic on the port.
    Spanning Port usually indicates the ability to copy traffic from all the ports to a single port but also typically disallows bidirectional traffic on the port.
    In the case of Cisco, SPAN stands for Switch Port ANalyzer. Some switches do not allow SPAN ports to transmit packets, this is an issue if you wish to use IDS TCP countermeasures such as resets. 
     
     
    Extreme Switches Newer
     
    Submitted By Kevin Farnes
    Information Updated: 16 Aug 2004
     
    {enable | disable} mirroring on port Port No
    configure mirroring { add | delete } { vlan VLAN | port Port No }
    The first line basically turns on or off the mirroring and what port the mirrored output should be sent to. The second line specifies what is
    to be mirrored. The second line can be repeated any number of times. There are some limitations on capability however, such as if 
    you are mirroring a port then it must be on the same blade as the port being mirrored to.
     
    Extreme Switches Older eg 48 ExtremeWare Version 4.1
     
    Submitted By Joel Snyder
    Information Updated: 16 Aug 2004
     
    In the older Summit Extremes (like the 48, not the 48i), you are blocked at v4 of their software
    enable mirror to port <port-no> (both enables mirroring, and says where to send it.  Notice that you cannot provide a list of ports, unfortunately)
    disable mirror    (disables mirroring)
    config mirror add port <portno>       (adds port <portno>, all VLANs that this port participates in)
    config mirror add port <portno> vlan <vlan name or #>     (adds port <portno>, but only VLAN <vlan> traffic will be mirrored)
    config mirror add vlan <vlan name or #>      (adds all ports that have this VLAN)
    You can add more than one port by repeating the above lines.
    config mirror del port <portno>
    config mirror del vlan <vlan>     (does the obvious thing)
    show mirror     (shows status of mirroring, including whether the port is up or not (!))
    One thing to be careful of in the Extreme is that with mirroring (at least in this version of the O/S), you get both IN and OUT mirroring, 
    which means that if you pick a VLAN as the mirror object, you may see  the same frame a couple of times if it goes in one port on the VLAN and out a different one.
     
    Cisco Catalyst SPAN Support
     
    Submitted By Mark McDonagh
    Information Updated: 16 Aug 2004
     
    Switch                      SPAN Sessions         TCP Countermeasures
    2900/3500XL             No Limit                      No
    2950                         1                               Yes
    3550                         2                               Yes
    3750                         2                               Yes
    4000 w CatOS           5                               Yes
    4500 w Native IOS      6 (both considered 2)   No
    6000 w CatOS           2 Rx or Both, 4 Tx      Yes
    6000 w Native IOS      2                                No
     
    Cisco Catalyst 2900/3500XL
     
    Submitted By Mark McDonagh
    Information Updated: 17 Aug 2004
     
    c3550(config)#monitor session 1 source ?
       interface SPAN source interface
       remote SPAN source Remote
       vlan SPAN source VLAN
    c3550(config)#monitor session 1 source interface fa0/1 - 3 rx
    c3550(config)#monitor session 1 destination interface fa0/24
    Only an Rx SPAN session can have multiple source ports. Note the spaces in syntax when specifying multiple interfaces. Can be “–” or “,”
    With Source VLAN's
    c3550(config)#monitor session 1 source vlan 1 - 10 rx
    c3550(config)#monitor session 1 destination interface fa0/24
    TCP Resets
    c3550(config)#monitor session 1 source vlan 1 - 10 rx
    c3550(config)#monitor session 1 destination interface fa0/24 ingress vlan 1
    The Catalyst 2950/3550 will allow you to configure a single VLAN to receive untagged TCP Reset packets. TCP Reset support is configured through the “ingress vlan” keywords. Only one VLAN is permitted. In this example, non-802.1q-tagged TCP Resets to servers or attackers existing on or through VLAN 1 would be allowed, but not if the attack or target was on VLAN 2-10. If the RST is a response to an attack detected by IDS 4.x where the 802.1q tag has been maintained, the RST will be sent on the appropriate VLAN.
    If you are monitoring a VLAN trunk port, you may wish to filter one or more of the VLANs on that trunk. This example only monitors VLANs 5 and 100-200 on the trunk.
    c3550(config)#monitor session 1 source interface gigabit0/1
    c3550(config)#monitor session 1 filter vlan 5 , 100 - 200
    c3550(config)#monitor session 1 destination interface fa0/24
    If the monitor session destination port is a trunk, you should also use keyword ‘encapsulation dot1q’. If you do not, packets will be sent on the interface in native format.
     
    Cisco Catalyst 2950 3550 3750
     
    Submitted By Mark McDonagh
    Information Updated: 17 Aug 2004
     
    int fa0/24
    port monitor fa0/1
    port monitor fa0/2
    port monitor fa0/3
    ^Z
    show port monitor
    Monitor Port Port Being Monitored
    --------------------- ---------------------
    FastEthernet0/24 FastEthernet0/1
    FastEthernet0/24 FastEthernet0/2
    FastEthernet0/24 FastEthernet0/3
    Monitored ports must be on same VLAN
    Cannot modify monitored ports
    “port monitor vlan” is only valid for VLAN 1, and will only monitor management traffic destined to the IP address configured as VLAN 1 on the switch “port monitor”, by itself, will configure the port to monitor all ports on the switch that belong to the vlan that port is assigned to.
     
    Cisco Catalyst 4000 6000  with CatOS Switches
     
    Submitted By Mark McDonagh
    Information Updated: 16 Aug 2004
     
    On Cat6k:
    set span {src_mod/src_ports| src_vlans | sc0} {dest_mod/dest_port} [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [filter vlans...] [create]
    On Cat4k:
    set span {src_mod/src_ports | src_vlan} dest_mod/dest_port [rx | tx | both] [filter vlan] [inpkts {enable | disable}] [learning {enable | disable}] [create]
    Use the ‘create’ keyword with different destination ports to create multiple SPAN sessions.
    If the ‘create’ keyword is not used, and a span session exists with the same destination port, the existing session will be replaced. If the destination port is different, then a new session will be created.
    With source 2/1 and destination 3/5
    c6500 (enable) set span 2/1 3/5
     
    Cisco Catalyst 4000 6000  with IOS Switches
     
    Submitted By Mark McDonagh
    Information Updated: 16 Aug 2004
     
    Syntax for Cat4k:
    Cat4k(config)# [no] monitor session {session_number} {source {interface type/num} | {vlan vlan_ID}} [, | - | rx | tx | both]
    Cat4k(config)# [no] monitor session {session_number} {destination {interface type/num} }
    Syntax for Cat6k:
    Cat6k(config)# monitor session session_number source {{single_interface | interface_list | interface_range | mixed_interface_list | single_vlan | vlan_list | vlan_range | mixed_vlan_list} [rx | tx | both]} | {remote vlan rspan_vlan_ID}}
    Cat6k(config)# monitor session session_number destination {single_interface | interface_list | interface_range | mixed_interface_list} | {remote vlan rspan_vlan_ID}}
     
    Cisco Catalyst 2950 Switches
     
    Submitted By Kevin Farnes
    Information Updated: 16 Aug 2004
     
    ( From Configuration Mode )
    monitor session 1 source interface Interface
    monitor session 1 destination interface Interface
    The first line determines which ports are being monitored in the session and can be repeated. The second line determines where the 
    monitor output is to be sent. On the 2950 only ports can be monitored. With Cisco the monitoring capability and commands can vary significantly with different models of switch.
     
    Cisco 3500XL Switches
     
    Submitted By Chris McCulloh
    Information Updated: 16 Aug 2004
     
    Connect via a command line, then enter enable mode (type 'en').. then execute the following commands, assuming the sniffer is plugged into port 14 on the switch, and all other ports in a 24 port switch are desired except 23:
    configure terminal
    interface f14
    port monitor f1-13, f15-22,f24
    end
    The box should then see all traffic.
     
    Cisco Catalyst 5000 Switches
     
    Submitted By Dave Rodrigue
    Information Updated: 16 Aug 2004
     
    set span 2-3 5/7 create
    where 2-3 are the VLANs I'm monitoring. 
    Switch ports can be specified as well 
    set span 2/3 5/7 create     to monitor port 2/3
    ~From Cisco's docs, in case that makes it clearer:
    set span {src_mod/src_ports | src_vlan | sc0} dest_mod/dest_port [rx | tx | both] [inpkts {enable | disable}] [learning {enable | disable}] [multicast {enable | disable}] [create]
     
    Foundry Switches
     
    Submitted By Kevin Farnes
    Information Updated: 16 Aug 2004
     
    ( From Configuration Mode )
    interface Interface
    port monitor interface { rx | tx | both}
    The first line takes you into the interface that the mirror output should be presented on. The second line defines those interfaces you wish to have mirrored and whether just the input, output or both are copied.
     
    Juniper M or T Series
     
    Submitted By Donald Smith
    Information Updated: 20 Aug 2004
     
    Port Mirroring
    Define the destination where copies of sampled packets will be sent:
    [edit]
    user@router# show forwarding-options
    port-mirroring { input {family inet; rate <sample-rate>; run-length
    <run-length>;} output {interface <interface-name> {next-hop<address>;}
    no-filter-check;} }
    2. Define a sampling filter to identify "interesting" traffic:
    [edit]
    user@router# show firewall filter mirror-sample
    from {...} then {sample; accept;}
    3. Apply the filter to the incoming interface
    [edit]
    user@router# show interface <interface-name> unit 0 family inet
    filter {input mirror-sample;}
    Notes:
    1. Packets that pass the input filter are sampled based on the <sample-rate> and <run-length>.  In each batch of <sample-rate>   packets, the first <run-length> packets are mirrored.
    2. The mirror interface should not participate in any routing. The sampled packets are not in any way encapsulated, so the raw packets are sent out the interface.  Hopefully, the device on the far end is a traffic analyzer and not another router!
    3. The <address> needs to be specified when the mirror interface is a multi-access media, and is used to fil in the MAC address.
    4. Works only for IPv4 packets, and only for transit traffic.
    5. You can only set up one mirror interface per router; all   "sampled" traffic is mirrored.
     
     
     特点:●Cisco 2900 和 Cisco 3500XL 系列交换机 
            Cisco 2950、Cisco 3550 和 Cisco 3750 系列交换机 
            Cisco catylist 2550 Cisco catylist 3550 支持2组monitor session en password config term 
    Switch(config)#monitor session 1 destination interface fast0/4(1为session id,id范围为1-2) 
    Switch(config)#monitor session 1 source interface fast0/1 , fast0/2 , fast0/3 (空格,逗号,空格) 
    Switch(config)#exit 
    Switch#copy running-conf startup-conf 
    Switch#show port-monitor 
    Cisco 5000 系列交换机 
    使用 CatOS 的 Cisco 4000 和 Cisco 6000 系列交换机 
    使用 IOS 的 Cisco 4000 和 Cisco 6000 系列交换机 
    Extreme 交换机 
         特点: 
                    ●只能创建多对一或者一对一的镜像端口 
                    ●可以监听 VLAN 的流量 
                    ●Extreme 会镜像 IN 和 OUT 的流量。这就意味着在镜像 VLAN 的时候,会看到一个报文至少两次—                    —从 VLAN 的某个端口出来,并且进入 VLAN 的另一个端口。 
    版本高于4.1的 Extreme 交换机端口镜像配置方法 
     {enable | disable} mirroring on port 
        开启/关闭端口镜像功能,并且指定镜像流量从何端口流出,port-no 只能是一个端口 
     configure mirroring { add | delete } { vlan | port }
    指定镜像哪个或哪些 VLAN 或端口的流量 { vlan | port } 部分可以重复多次 
    版本低于 4.1 的 Extreme 交换机端口镜像配置方法 
       enable mirror to port port-no
    开启端口镜像功能,并且指定镜像流量从何端口流出,port-no 只能是一个端口 
       disable mirror
    关闭端口镜像功能 
       config mirror add port 镜像端口 port-no 的流量,如果这个端口包含多个 VLAN 这些流量都会被镜像到目的端口 
       config mirror add port vlan 
              镜像端口 port-no 中指定 VLAN 的流量 
       config mirror add vlan 
               镜像端口中指定 VLAN 的所有端口的流量 
       config mirror del port 
               取消对 port-no 的端口镜像 
       config mirror del vlan 
               取消对指定 VLAN 的端口镜像 
       show mirror
               显示端口镜像情况 
    Foundry 交换机      特点: 
                    ●可以创建多对多的端口镜像 
    Foundry 交换机端口镜像配置方法 
               在配置模式中(Configuration Mode): 
       interface 
       port monitor { { rx | tx | both}}
               确定镜像流量从哪个端口流出,修改此端口配置 
               指定要镜像哪些端口的哪些流量(rx 指接收的流量,tx 指发送的流量,both 指双向流量),{ { rx | tx |            both}} 部分可以重复 
    Juniper 交换机 
         特点:  
                    ●每交换机只能有一个监听端口 
                    ●只能镜像 IPv4 的流量 
                    ●只能镜像发送(transit only)的流量,不能镜像接收的流量 
    Juniper M 系列和 T 系列端口镜像配置方法 
           [url=mailto:usen@router]usen@router[/url]# show forwarding-options port-    mirroring { input {family inet; rate ; run-    length ;} output interface {next-hop 
       ;} no-filter-check;} } 
    选择将抽样的流量发送到哪个目的端口 
     [url=mailto:user@router]user@router[/url]# show firewall filter mirror-sample from {...} then {sample; accept;}
    定义抽样过滤器,选择感兴趣的流量 
     [url=mailto:user@router]user@router[/url]# show interface unit 0 family inet filter {input mirror-sample;}
    选择将抽样的过滤器应用到某个端口 
    端口镜像的风险 
    加重交换机负载,造成设备不稳定 
    在某些情况下会丢包,不能保证 100% 镜像流量。例如,由于多个源端口镜像到一个目的端口,目的端口无法处理造成丢包 [/i
    本文转自孤舟夜航之家博客51CTO博客,原文链接http://blog.51cto.com/cysky/741492如需转载请自行联系原作者

    cysky
    展开全文
  • Cisco ASA 镜像端口

    千次阅读 2012-05-03 11:03:08
    e0/1作为e0/0的镜像端口: int e0/0  switch access vlan 2 相同Vlan no shut int e0/1 switch access vlan 2 相同Vlan no shut switch monior e0/0

    e0/1作为e0/0的镜像端口:


    int e0/0 

    switch access vlan 2        相同Vlan

    no shut


    int e0/1

    switch access vlan 2        相同Vlan

    no shut

    switch monior e0/0           




    展开全文
  • 思科交换机镜像端口介绍配置

    千次阅读 2018-01-26 15:37:10
    在交换以太网的环境下,一般两台工作站之间的通讯是不会被第三者侦听到的。...或早期的“端口镜像”、“监控端口”功能。侦听的对象可以是一个或多个交换机端口,或者整个VLAN。如果要侦听的端口(“源端口”)或VL...

    幻灯片1.JPG

    在交换以太网的环境下,一般两台工作站之间的通讯是不会被第三者侦听到的。在某些情况下,我们可能会需要进行这样的侦听,如:协议分析、流量分析、***检测。为此我们可以设置Cisco交换机的SPAN (Switched Port Analyzer交换端口分析器)特性, 或早期的“端口镜像”、“监控端口”功能。侦听的对象可以是一个或多个交换机端口,或者整个VLAN。如果要侦听的端口(“源端口”)或VLAN和连接监控工作站的端口(“目标端口”)在同一台交换机上,我们只需配置SPAN; 如果不在同一台交换机上,需要配置RSPAN (Remote SPAN)。

    把交换机一个(数个)端口(源端口)的流量完全拷贝一份,从另外一个端口(目的端口)发出去,以便网络管理人员从目的端口通过分析源端口的流量来找出网络存在问题的原因

    幻灯片2.JPG

    • 思科端口镜像类型

    • SPAN指源和目的端口都在同一台机

    • RSPAN指源和目的端口不在同一台机

    • VSPAN可以镜像整个或数个VLAN到一个目的端口

    幻灯片3.JPG

    我们用端口镜像1来镜像3-23号端口

    monitor session 1 source interface Gi1/0/3 - 23 

    monitor session 1 destination interface Gi1/0/1

    镜像端口2来镜像24号端口

    monitor session 2 source interface Gi1/0/24 

    monitor session 2 destination interface Gi1/0/2


    幻灯片5.JPG


    幻灯片6.JPG

    幻灯片7.JPG

    幻灯片8.JPG


    展开全文
  • cisco_端口镜像

    2015-03-30 22:03:29
    端口镜像详解 什么是端口镜像? 把交换机一个或多个端口(VLAN)的数据镜像到一个或多个端口的方法。
  • cisco端口镜像叫做SWITCHED PORT ANALYZER,简称SPAN(仅在IOS系统中,下同),因此,端口镜像仅适用于以太网交换端口Cisco的SPAN 分成三种,SPAN、RSPAN和VSPAN,简单的说,SPAN是指源和目的端口都在同一台机器...
  • 所谓的端口镜像是把交换机一个或多个端口的数据镜像到一个或多个端口的方法,它的作是将指定端口、VLAN的报文复制一份到其它端口,目的端口会与数据监测设备相连,为了方便对一个或多个网络接口的流量进行分析,可以...
  • 查看交换机端口的基本情况,输入命令 show ip int bri,可以查看端口状态 ...设置源镜像口,设置1到20口为源端口镜像 Switch(config)#monitor session 1 source interface gigabitEthernet ...

    查看交换机端口的基本情况,输入命令 show ip int bri,可以查看端口状态

    FastEthernet表示百兆以太网端口,GigabitEthernet表示千兆以太网端口。

    进入全局模式

    设置源镜像口,设置1到20口为源端口镜像

    Switch(config)#monitor session 1 source interface gigabitEthernet 1/0/1- 20 both
    

    这条命令的最后-与20之间有空格的。20后面的参数both,表示监听双向数据,20后面加上rx只监听接收数据,20后面加tx只监听发送数据。如果只镜像一个口的数据,直接写某个口

    配置目的镜像口

    Switch(config)#monitor session 1 destination interface gigabitEthernet 1/0/22

    配置1/0/22口为目的镜像口

    查看配置情况

     

    Switch#show monitor 
    Session 1
    ---------
    Type : Local Session
    Source Ports : 
    Both : Gi1/0/1-20
    Destination Ports : Gi1/0/22
    Encapsulation : Native
    Ingress : Disabled

     

    删除镜像端口

    Switch(config)#no monitor session 1
    Switch(config)#end 
    Switch#show monitor
    No SPAN configuration is present in the system.
    

      

    转载于:https://www.cnblogs.com/LuckWJL/p/9992419.html

    展开全文
  • 要想管理好一个网络,网络抓包分析器是必不可少的,...今天不讲抓包,主要是讲如何配置思科交换机镜像端口为抓包做好准备. 用控制线连接上交换机,打开超级终端,如果交换机配置了远程 ,那也可以直接telnet连接交换机...
  • SPAN:source:monitor session 1 source interface gigabitEthernet 1/0/1- 5destination:monitor session 1 destination interface gigabitEthernet 1/0/6---------------------------------------------...
  • cisco端口镜像.doc

    2010-09-25 13:04:29
    51CTO下载-cisco端口镜像.doc
  • 交换机镜像端口建立方法 Cisco CATALYST交换机分为两 种
  • 要想管理好一个网络,网络抓...今天不讲抓包,主要是讲如何配置思科交换机镜像端口为抓包做好准备.用控制线连接上交换机,打开超级终端,如果交换机配置了远程 ,那也可以直接telnet连接交换机进行配置。例如,我想在f0...
  • Cisco 交换机端口镜像

    2012-08-16 15:55:42
    1) 什么是端口镜像? 把交换机一个或多个端口(VLAN)的数据镜像到一个或多个端口的方法。 2) 为什么需要端口镜像 ? 在进行网络故障排查、网络数据流量分析的过程中,有时需要对网络节点或骨干交换机的某些端口...
  • 思科交换机端口镜像

    2015-11-04 12:36:57
    1.switch(config)#monitor session 1 source interface g0/12.switch(config)#monitor session 1 destination interface g0/2//通过交换机的第2号端口监控第1端口的流量 转载于:...
  • Cisco 2950端口镜像设置

    2009-07-15 09:57:09
    先解释一下端口镜像端口镜像简单的说,就是把交换机... cisco端口镜像叫做SWITCHED PORT ANALYZER,简称SPAN(仅在IOS系统中,下同),因此,端口镜像仅适用于以太网交换端口CISCO2950交换机,都是默认配置,2...
  • cisco 端口镜像设置

    千次阅读 2015-06-08 08:19:59
    conf t 设置原端口 monitor session 1 source interface f0/1 (both\rx\tx) 设置目的端口 monitor session 1 destination interface f0/2  查看皮遏制结果 ...删除镜像端口 no monitor session 1
  • 路由器设置镜像端口

    千次阅读 2018-08-13 16:55:57
    请确保你能链接上你的路由器 登录路由器 切换到高级配置 ... 选择端口镜像 ... 首先请启用端口镜像 ...然后通过镜像功能吧端口1的数据镜像端口2 那么端口1就是被捕获端口端口2就是捕获端口 ...
  • 端口镜像

    2012-06-15 14:54:51
    Cisco镜像端口 一、 CISCO本地镜像端口 1、 定义源端口 Monitor session {session-number} source {interface interface-number | vlan vlan-ID} [rx|tx|both] 2、 定义目的端口 Monitor session {session-nu.....
  • Cisco 3560端口镜像

    2011-10-11 15:52:08
    关于交换机端口镜像的原理百度下,很多。 简单介绍配置步骤: Switch#show monitor No SPAN configuration is present in the system. (之前没有配置过端口镜像) Switch#conf t Enter configuration ...

空空如也

空空如也

1 2 3 4 5 ... 20
收藏数 4,158
精华内容 1,663
关键字:

思科镜像端口