■Cisco C2970にローカルミラーポート(SPAN)を設定してみる。 [Linux2]側にIP設定が要るのか要らないのか気になったので、試してみる。 結果的には、モニターポートに接続したinterfaceにはIP設定は不要でDHCPに関するパケットも流れない。 SWの設定がクリアされてしまうなどの事態を想定するなら、[Linux2]側には同セグメントの別のIPアドレスを設定する方が良い。 $ echo "[Linux1]";lsb_release -d Description: Debian GNU/Linux 8.3 (jessie) $ echo "[Linux2]";lsb_release -d [Linux2] Description: Debian GNU/Linux 8.3 (jessie) Switch>enable Switch#show version | include ^Cisco Cisco IOS Software, C2970 Software (C2970-LANBASE-M), Version 12.2(44)SE6, RELEASE SOFTWARE (fc1) ■初期化されたC2970をinterface単位でミラーする設定に変更する単純なイメージ図。 $ echo "[Linux1-eth1]<-->[Gi-0/23]<-- SPAN -->[Gi-0/24]-->[eth1-Linux2]" | \ graph-easy --dot | dot -T png -o localspan.png
■[Gi-0/23]から[Gi-0/24]へのSPAN(ローカル)の設定 [Linux1]側が1G、[Linux2]側が100Mリンクのため、 [Linux1]側に接続する[Ge0/23]を100M固定とした。 configure monitor session 1 source interface GigabitEthernet 0/23 both monitor session 1 destination interface GigabitEthernet 0/24 interface vlan 1 ip address 172.16.16.254 255.255.255.0 no shutdown interface GigabitEthernet 0/23 speed 100 no shutdown interface GigabitEthernet 0/24 no shutdown end ■モニタポートは設定した通り Switch#show monitor Session 1 --------- Type : Local Session Source Ports : Both : Gi0/23 Destination Ports : Gi0/24 Encapsulation : Native Ingress : Disabled ■[Gi-0/23]はVLAN 1に所属している。 Switch#show vlan id 1 VLAN Name Status Ports ---- -------------------------------- --------- ------------------------------- 1 default active Gi0/1, Gi0/2, Gi0/3, Gi0/4 Gi0/5, Gi0/6, Gi0/7, Gi0/8 Gi0/9, Gi0/10, Gi0/11, Gi0/12 Gi0/13, Gi0/14, Gi0/15, Gi0/16 Gi0/17, Gi0/18, Gi0/19, Gi0/20 Gi0/21, Gi0/22, Gi0/23 VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2 ---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------ 1 enet 100001 1500 - - - - - 0 0 Remote SPAN VLAN ---------------- Disabled Primary Secondary Type Ports ------- --------- ----------------- ------------------------------------------ ■各interfaceは100Mでリンクアップ、[Gi-0/24]はモニタポート。 Switch#show interfaces status | include 2[234] Gi0/22 connected 1 a-full a-100 10/100/1000BaseTX Gi0/23 connected 1 a-full 100 10/100/1000BaseTX Gi0/24 monitoring 1 a-full a-100 10/100/1000BaseTX ■[Linux1]のMACアドレスは、[XX:XX:XX:XX:10:ca]、[Linux2]のMACアドレスは[XX:XX:XX:XX:c2:e3] $ echo "[Linux1]"; \ ip a list eth1 | grep -v inet6 | \ sed -e 's/ [0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:/ XX:XX:XX:XX:/' [Linux1] 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether XX:XX:XX:XX:10:ca brd ff:ff:ff:ff:ff:ff inet 172.16.16.88/24 brd 172.16.16.255 scope global eth1 valid_lft forever preferred_lft forever $ echo "[Linux2]"; \ ip a list eth1 | grep -v inet6 \ sed -e 's/ [0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:[0-9a-e][0-9a-e]:/ XX:XX:XX:XX:/' [Linux2] 5: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether XX:XX:XX:XX:c2:e3 brd ff:ff:ff:ff:ff:ff valid_lft forever preferred_lft forever ■pingを双方向で送信 Switch#ping 172.16.16.88 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 172.16.16.88, timeout is 2 seconds: !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 1/203/1006 ms $ ping -c 3 172.16.16.88 PING 172.16.16.88 (172.16.16.88) 56(84) bytes of data. 64 bytes from 172.16.16.88: icmp_seq=1 ttl=64 time=0.157 ms 64 bytes from 172.16.16.88: icmp_seq=2 ttl=64 time=0.076 ms 64 bytes from 172.16.16.88: icmp_seq=3 ttl=64 time=0.079 ms --- 172.16.16.88 ping statistics --- 3 packets transmitted, 3 received, 0% packet loss, time 2000ms rtt min/avg/max/mdev = 0.076/0.104/0.157/0.037 ms ■pingによりMACアドレスを学習しているはずなので確認 [10:ca]は[Linux1-eth1]と一致 Switch#show ip arp Protocol Address Age (min) Hardware Addr Type Interface Internet 172.16.16.254 - XXXX.XXXX.fcc0 ARPA Vlan1 Internet 172.16.16.88 1 XXXX.XXXX.10ca ARPA Vlan1 $ echo "[Linux1]";sudo arp -an | grep eth1 [Linux1] ? (172.16.16.254) at XX:XX:XX:XX:fc:c0 [ether] on eth1 ■L2のブロードキャスト範囲内なので、tcpdumpでキャプチャ出来るはず。 ※CiscoのL2SWからのブロードキャストは[255.255.255.255]になってる? $ echo "[Linux2]";sudo tcpdump -i eth1 [Linux2] $ echo "[Linux1]-->[Gi0/23]";sudo ping -c 2 -b 172.16.16.255 [Linux1]-->[Gi0/23] WARNING: pinging broadcast address PING 172.16.16.255 (172.16.16.255) 56(84) bytes of data. 64 bytes from 172.16.16.254: icmp_seq=1 ttl=255 time=0.429 ms 64 bytes from 172.16.16.254: icmp_seq=2 ttl=255 time=0.424 ms --- 172.16.16.255 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.424/0.426/0.429/0.020 ms ■ブロードキャストpingの実行結果 13:58:06.137331 IP 172.16.16.88 > 172.16.16.255: ICMP echo request, id 29933, seq 1, length 64 13:58:06.137639 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 29933, seq 1, length 64 13:58:07.136898 IP 172.16.16.88 > 172.16.16.255: ICMP echo request, id 29933, seq 2, length 64 13:58:07.137217 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 29933, seq 2, length 64 ■普通のping $ echo "[Linux1]-->[Gi0/23]";sudo ping -c 2 172.16.16.254 [Linux1]-->[Gi0/23] PING 172.16.16.254 (172.16.16.254) 56(84) bytes of data. 64 bytes from 172.16.16.254: icmp_seq=1 ttl=255 time=0.432 ms 64 bytes from 172.16.16.254: icmp_seq=2 ttl=255 time=0.421 ms --- 172.16.16.254 ping statistics --- 2 packets transmitted, 2 received, 0% packet loss, time 999ms rtt min/avg/max/mdev = 0.421/0.426/0.432/0.021 ms 13:59:31.701636 IP 172.16.16.88 > 172.16.16.254: ICMP echo request, id 29936, seq 1, length 64 13:59:31.701999 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 29936, seq 1, length 64 13:59:32.700993 IP 172.16.16.88 > 172.16.16.254: ICMP echo request, id 29936, seq 2, length 64 13:59:32.701228 IP 172.16.16.254 > 172.16.16.88: ICMP echo reply, id 29936, seq 2, length 64 ■tsharkでも確認出来る。 $ echo "[Linux2]";sudo tshark -i 3 [Linux2] 23 25.590468 172.16.16.254 -> 172.16.16.88 ICMP 114 Echo (ping) request id=0x0009, seq=0/0, ttl=255 24 25.590604 172.16.16.88 -> 172.16.16.254 ICMP 114 Echo (ping) reply id=0x0009, seq=0/0, ttl=64 (request in 23) 25 25.592127 172.16.16.254 -> 172.16.16.88 ICMP 114 Echo (ping) request id=0x0009, seq=1/256, ttl=255 26 25.592220 172.16.16.88 -> 172.16.16.254 ICMP 114 Echo (ping) reply id=0x0009, seq=1/256, ttl=64 (request in 25) 27 25.594272 172.16.16.254 -> 172.16.16.88 ICMP 114 Echo (ping) request id=0x0009, seq=2/512, ttl=255 28 25.594339 172.16.16.88 -> 172.16.16.254 ICMP 114 Echo (ping) reply id=0x0009, seq=2/512, ttl=64 (request in 27) 29 25.596420 172.16.16.254 -> 172.16.16.88 ICMP 114 Echo (ping) request id=0x0009, seq=3/768, ttl=255 30 25.596590 172.16.16.88 -> 172.16.16.254 ICMP 114 Echo (ping) reply id=0x0009, seq=3/768, ttl=64 (request in 29) 31 25.598595 172.16.16.254 -> 172.16.16.88 ICMP 114 Echo (ping) request id=0x0009, seq=4/1024, ttl=255 32 25.598669 172.16.16.88 -> 172.16.16.254 ICMP 114 Echo (ping) reply id=0x0009, seq=4/1024, ttl=64 (request in 31) 33 30.591415 OUIMaker_XX:10:ca -> Cisco_XX:fc:c0 ARP 60 Who has 172.16.16.254? Tell 172.16.16.88 34 30.592998 Cisco_XX:fc:c0 -> OUIMaker_XX:10:ca ARP 60 172.16.16.254 is at XX:XX:XX:XX:fc:c0 ■Cisco側のリンクダウン/アップ時にはMDNSパケットは流れない。 [Linux1]側のeth1リンクダウン/アップ時にMDNSパケットが流れる。 方向も[172.16.16.88.5353 > 224.0.0.251.5353]なので、 Cisco側やモニタポートに接続した[Linux2]のトリガーでは無い。 $ echo "[Linux1]";sudo ifconfig eth1 down;sudo ifconfig eth1 up [Linux1] ■[Linux2]のモニタポート側にもIPを設定するとしたら、 例えば以下のようにIPをずらしておく。 ([/etc/network/interfaces]スクリプトからifup/ifdownで操作する場合は、 [ifconfig]を使わないので注意。) $ echo "[Linux2]";sudo ifconfig eth1 172.16.16.89/24 [Linux2]
