- 产品与解决方案
- 行业解决方案
- 服务
- 支持
- 合作伙伴
- 新华三人才研学中心
- 关于我们
07-H3C_TAP典型配置举例
本章节下载: 07-H3C_TAP典型配置举例 (222.49 KB)
TAP典型配置举例
资料版本:6W101-20230905
产品版本:Release 7736P07
|
Copyright © 2021-2023 新华三技术有限公司 版权所有,保留一切权利。 非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播。 除新华三技术有限公司的商标外,本手册中出现的其它公司的商标、产品标识及商品名称,由各自权利人拥有。 本文档中的信息可能变动,恕不另行通知。 |
目 录
本文档介绍了TAP的配置举例。
TAP(Test Access Point,测试接入点,又称分路器)通过将流量重定向到监控组并发送给监控设备,实现用户上网行为分析、异常流量监测、网络应用监控等功能。
本文档中的配置均是在实验室环境下进行的配置和验证,配置前设备的所有参数均采用出厂时的缺省配置。如果您已经对设备进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突。
本文假设您已了解TAP特性。
如图1所示,某公司网络有核心网、汇聚网、接入网以及办公区网络,现要求通过配置TAP实现:
· 整个网络的流量添加外层vlan tag后复制两份。
· 两份数据完全相同,一份进入ServerA进行分析、统计等,另一份进入ServerB作为备份。
图1 TAP实现流量监测与备份典型组网图
定义TAP策略,使其将所有报文流加上vlan tag为4094,入方向应用该策略的接口的流量均被复制到ServerA和ServerB。
# 创建监控组1,并配置监控组的成员接口为GigabitEthernet1/0/4和GigabitEthernet1/0/5。
<DeviceB> system-view
[DeviceB] monitoring-group 1
[DeviceB-monitoring-group-1] monitoring-port gigabitethernet 1/0/4 to gigabitethernet 1/0/5
[DeviceB-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[DeviceB] traffic classifier classifier_tap
[DeviceB-classifier-classifier_tap] if-match any
[DeviceB-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为添加外层vlan tag为4094且重定向到监控组1。
[DeviceB] traffic behavior behavior_tap
[DeviceB-behavior-behavior_tap] nest top-most vlan 4094
[DeviceB-behavior-behavior_tap] redirect monitoring-group 1
[DeviceB-behavior-behavior_tap] quit
# 定义TAP类型策略policy_tap,并为类classifier_tap指定流行为behavior_tap。
[DeviceB] qos tap policy policy_tap
[DeviceB-qospolicy-policy_tap] classifier classifier_tap behavior behavior_tap
[DeviceB-qospolicy-policy_tap] quit
# 将TAP类型策略policy_tap应用到接口GigabitEthernet1/0/1的入方向上。
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] qos apply tap policy policy_tap inbound
[DeviceB-GigabitEthernet1/0/1] quit
# 将TAP类型策略policy_tap应用到接口GigabitEthernet1/0/2的入方向上。
[DeviceB] interface gigabitethernet 1/0/2
[DeviceB-GigabitEthernet1/0/2] qos apply tap policy policy_tap inbound
[DeviceB-GigabitEthernet1/0/2] quit
# 将TAP类型策略policy_tap应用到接口GigabitEthernet1/0/3的入方向上。
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] qos apply tap policy policy_tap inbound
[DeviceB-GigabitEthernet1/0/3] quit
# 执行display qos tap policy interface命令查看TAP策略信息。
[DeviceB] display qos tap policy interface
Interface: GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/2
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/3
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Nesting:
Nest top-most vlan-id 4094
Redirecting:
Redirect to the monitoring group: 1
#
monitoring-group 1
monitoring-port GigabitEthernet1/0/4
monitoring-port GigabitEthernet1/0/5
#
traffic classifier classifier_tap operator and
if-match any
#
traffic behavior behavior_tap
nest top-most vlan 4094
redirect monitoring-group 1
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/2
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/3
qos apply tap policy policy_tap inbound
#
如图2所示,某公司网络有核心网、汇聚网、接入网以及办公区网络,现要求通过配置TAP实现:
· 两台主机(如HostB和HostC)相互之间的流量都发送到同一台Server进行分析、监测。
· 所有的流量均匀负载分到三台Server中进行分析、监测。
图2 TAP同源同宿组网图
· 由于办公区的用户Host B和Host A均连接到接入网Device A设备上,两者之间报文流的源、目的IP是相反的,流量被复制到达Device B后,聚合接口在进行聚合负载分担时,两种报文流会经不同成员链路发往不同的Server,所以需要通过配置全局采用的聚合负载分担HASH算法为1类型,保证两种报文流经同一条成员链路发往同一个Server;
· 在设备Device B的聚合负载分担类型按照报文的源、目的IP地址区分流。
# 创建二层聚合组Bridge-Aggregation 1。
<DeviceB> system-view
[DeviceB] interface Bridge-Aggregation 1
[DeviceB-Bridge-Aggregation1] quit
# 将接口GigabitEthernet1/0/4、GigabitEthernet1/0/5和GigabitEthernet1/0/6加入聚合组Bridge-Aggregation 1中。
[DeviceB] interface gigabitethernet1/0/4
[DeviceB-GigabitEthernet1/0/4] port link-aggregation group 1
[DeviceB-GigabitEthernet1/0/4] quit
[DeviceB] interface gigabitethernet1/0/5
[DeviceB-GigabitEthernet1/0/5] port link-aggregation group 1
[DeviceB-GigabitEthernet1/0/5] quit
[DeviceB] interface gigabitethernet1/0/6
[DeviceB-GigabitEthernet1/0/6] port link-aggregation group 1
[DeviceB-GigabitEthernet1/0/6] quit
# 创建监控组1,并配置监控组的成员接口为Bridge-Aggregation 1。
[DeviceB] monitoring-group 1
[DeviceB-monitoring-group-1] monitoring-port bridge-aggregation 1
[DeviceB-monitoring-group-1] quit
# 定义类classifier_tap,匹配所有数据包。
[DeviceB] traffic classifier classifier_tap
[DeviceB-classifier-classifier_tap] if-match any
[DeviceB-classifier-classifier_tap] quit
# 定义流行为behavior_tap,动作为重定向到监控组1。
[DeviceB] traffic behavior behavior_tap
[DeviceB-behavior-behavior_tap] redirect monitoring-group 1
[DeviceB-behavior-behavior_tap] quit
# 定义TAP类型策略policy,并为类classifier_tap指定流行为behavior_tap。
[DeviceB] qos tap policy policy_tap
[DeviceB-qospolicy-policy_tap] classifier classifier_tap behavior behavior_tap
[DeviceB-qospolicy-policy_tap] quit
# 将TAP类型策略policy1应用到接口Gigabitethernet1/0/1、GigabitEthernet1/0/2和GigabitEthernet1/0/3的入方向上。
[DeviceB] interface gigabitethernet1/0/1
[DeviceB-Gigabitethernet1/0/1] qos apply tap policy policy_tap inbound
[DeviceB-Gigabitethernet1/0/1] quit
[DeviceB] interface gigabitethernet1/0/2
[DeviceB-Gigabitethernet1/0/2] qos apply tap policy policy_tap inbound
[DeviceB-Gigabitethernet1/0/2] quit
[DeviceB] interface gigabitethernet1/0/3
[DeviceB-Gigabitethernet1/0/3] qos apply tap policy policy_tap inbound
[DeviceB-Gigabitethernet1/0/3] quit
# 配置全局采用的聚合负载分担类型为按报文的源、目的IP地址进行聚合负载分担,分担算法为1类型。
[DeviceB] link-aggregation global load-sharing mode source-ip destination-ip
[DeviceB] link-aggregation global load-sharing algorithm 1
# 显示Device B的tap策略信息。
[DeviceB] display qos tap policy interface
Interface: GigabitEthernet1/0/1
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/2
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
Interface: GigabitEthernet1/0/3
Direction: Inbound
Tap policy: policy_tap
Classifier: classifier_tap
Operator: AND
Rule(s) :
If-match any
Behavior: behavior_tap
Redirecting:
Redirect to the monitoring group: 1
# 显示Device B的监控组信息。
[DeviceB] display monitoring-group all
Monitoring group 1:
Monitoring ports: Bridge-Aggregation1
# 显示Device B的负载分担模式。
[DeviceB] display link-aggregation load-sharing mode
Link-aggregation load-sharing algorithm:1
Link-aggregation load-sharing mode:
destination-ip address, source-ip address
#
link-aggregation global load-sharing mode destination-ip source-ip
link-aggregation global load-sharing algorithm 1
#
monitoring-group 1
monitoring-port Bridge-Aggregation1
#
traffic behavior behavior_tap
redirect monitoring-group 1
#
traffic classifier classifier_tap operator and
if-match any
#
qos tap policy policy_tap
classifier classifier_tap behavior behavior_tap
#
interface Bridge-Aggregation1
#
interface GigabitEthernet1/0/1
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/2
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/3
qos apply tap policy policy_tap inbound
#
interface GigabitEthernet1/0/4
port link-aggregation group 1
#
interface GigabitEthernet1/0/5
port link-aggregation group 1
#
interface GigabitEthernet1/0/6
port link-aggregation group 1
· H3C S5560-EI-G系列交换机 TAP配置指导-R7736P07
· H3C S5560-EI-G系列交换机 TAP命令参考-R7736P07
不同款型规格的资料略有差异, 详细信息请向具体销售和400咨询。H3C保留在没有任何通知或提示的情况下对资料内容进行修改的权利!
支持
售前咨询
售后咨询
人工在线咨询
