RSPN技术
 
 SPAN技术主要是用来监控 交换机上的数据流,大体分为两种类型,本地SPAN和远程SPAN. ----Local Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN),实现方法上稍有不同。 利用SPAN技术我们可以把 交换机上某些想要被监控端口(以下简称受控端口)的数据流COPY或MIRROR一 份,发送给连接在监控端口上的流量分析仪,比如CISCO的IDS或是装了SNIFFER工具的PC. 受控端口和 监控端口可以在同一台交换机上(本地SPAN),也可以在不同的交换机上(远程SPAN)。
 
 
实验器材:两台华为s2000hi交换机,一台s2000ei交换机,一台路由器,一台pc机,一台虚拟机做ndis服务器
 

RSPN技术华为交换机(s2000hi)_第1张图片

配置sw1:
[sw1]vlan 10
[sw1-vlan10]remote-probe vlan enable
[sw1-vlan10]inter eth1/0/1
[sw1-Ethernet1/0/1]port link-type trunk
[sw1-Ethernet1/0/1]port trunk permit vlan 10
 Please wait... Done.
[sw1-Ethernet1/0/1]quit
[sw1]mirro?
   mirroring-group
 
[sw1]mirroring-group 1 remote-destination
[sw1]mirroring-group 1 monitor-port eth1/0/2
[sw1]mirroring-group 1 remote-probe vlan 10
配置sw2:
[sw2]vlan 10
[sw2]inter e0/1
[sw2-Ethernet0/1]port link-type trunk
[sw2-Ethernet0/1]port trunk permit vlan 10
 Please wait... Done.
[sw2-Ethernet0/1]inter e0/2               
[sw2-Ethernet0/2]port link-type trunk     
[sw2-Ethernet0/2]port trunk permit vlan 10
 Please wait... Done.
 
 
配置sw3:
[sw3]vlan 10
[sw3-vlan10]remote-probe vlan enable
[sw3-vlan10]inter eth1/0/2
[sw3-Ethernet1/0/2]port link-type trunk
[sw3-Ethernet1/0/2]port trunk permit vlan 10
 Please wait... Done.
[sw3-Ethernet1/0/2]mirroring-group 1 remote-source
[sw3]mirroring-group 1 mirroring-port eth1/0/10 ?
 Ethernet Ethernet interface
 both       Monitor the inbound and outbound packets
 inbound    Monitor the inbound packets
 outbound Monitor the outbound packets
 to         Range of interfaces
 
[sw3]mirroring-group 1 mirroring-port eth1/0/10 eth1/0/20 both
 The remote source mirroring group doesn't support mirroring port of both direction!
[sw3]mirroring-group 1 mirroring-port eth1/0/10 both          
 The remote source mirroring group doesn't support mirroring port of both direction!
[sw3]mirroring-group 1 mirroring-port eth1/0/10 eth1/0/20 inbound
[sw3]mirroring-group 1 reflector-port eth1/0/5
[sw3]mirroring-group 1 remote-probe vlan 10
[sw3]dis mirroring-group remote-source
mirroring-group 1:
    type: remote-source
    status: active
    mirroring port:
        Ethernet1/0/10 inbound
        Ethernet1/0/20 inbound
    reflector port: Ethernet1/0/5
    remote-probe vlan: 10
[sw3]
 
配置路由器:
[r10]inter e0
[r10-Ethernet0]ip address 192.168.1.2 24
[r10-Ethernet0]
[r10-Ethernet0]
[r10-Ethernet0]
[r10-Ethernet0]
[r10-Ethernet0]
[r10-Ethernet0]quit
[r10]
[r10]
[r10]
[r10]local-user user1 password sim 123 ser admin
 
 
测试:
用pc2(192.168.1.3)telnetpc1(192.168.1.2)
用sniffer抓包:

RSPN技术华为交换机(s2000hi)_第2张图片