ASR1k ERSPAN
ASR1k 支持ERSPAN,所谓ERSPAN,就是通过GRE来封装抓包。例如下面topology:
R1—–ISP——R2
在R1上设置SPAN的源,目的地址为R2,之间建立Tunnel,并把抓到的这些数据包发给R2,在R2中接收这些数据包,去掉包头,然后输出到server对其分析。在ASR1k上可以用ERSPAN的方式抓本地的包,如以下配置:
monitor session 10 type erspan-source !---GRE的源session,如在R1配置 source interface POS0/2/0 !---span pos0/2/0的流量,在3.5或更新的版本才支持POS口 destination !---在源的session下配置GRE的目的信息,如R2的相关信息 erspan-id 10 !---源和目的保持一致,这样才能正常建立tunnel ip address 12.12.12.12 !---相当于GRE的desti address origin ip address 12.12.12.12 !---相当于GRE的soure address ! monitor session 20 type erspan-destination !---GRE的目的session,如在R2配置 destination interface Gi0/0/2 !---span的流量发送到Gi0/0/2 source !---在目的session下配置GSR源的信息,如R1的相关信息 erspan-id 10 !---同上 ip address 12.12.12.12 !---与源session中的origin ip是同样的,这里没有origin,因为span是单向tunnel !---在设置本地SPAN时,都是同样的地址,并且是active的地址,可以用环回口
2014-9-5 更新:Troubleshooting lost packets
当你在进口和出口设定了ERSPAN后,可以用下面命令,查看包到底丢在哪里了
1. Enable ERSPAN on A and B interface
2. Show statistics on SIPshow platform hardware port plim statistics show platform hardware subslot {spa slot/card} plim statistics show platform hardware slot {spa slot} plim statistics show platform hardware slot {spa slot} plim status internal show platform hardware slot {spa slot} serdes statistics
3. Ping packets with repeat 100
4. Show statistics on SIP again with the above commands.
5. Disable ERSPAN.更好用的抓包方式:
Cisco IOS Embedded Packet Capture
http://www.cisco.com/c/en/us/td/docs/ios-xml/ios/epc/command/epc-cr-book/epc-cr-m1.html#monitor capture test interface gi0/0/0 both #monitor capture test access-list cap-test #monitor capture test start #monitor capture test stop #monitor capture test export ftp://xxxx/cap.pcap #show monitor capture test buffer ? brief brief display detailed detailed disaply dump for dump | Output modifiers
2014-10-23 更新:IOS平台的EPC
http://www.cisco.com/c/en/us/support/docs/ios-nx-os-software/ios-150m/115805-config-epc-2-interfaces-00.html
更多信息看这里:
http://www.cisco.com/en/US/docs/ios-xml/ios/lanswitch/configuration/xe-3s/lnsw-conf-erspan.html