CCNP Part 16 vxlan (II) + port mirroring
This article is mainly about the practical demonstration of vxlan
VXLAN demo
There should be no such image in normal ensp
To use this CE12800
I have here, which can be provided for you to use
Link: https://pan.baidu.com/s/1nqGo8a7mmWpthu-CuBC80Q?pwd=cjnb
Extraction code: cjnb
This thing needs to be manually imported into ENSP
I waited for a few minutes to turn on my 32g computer, but it won't affect the use. It just turns on slowly
So what are their respective roles
LSW stands for v-switch respectively (if in the real environment, all are virtualized, what you can't see is the virtualized device in a physical server)
CE stands for NVE respectively
PC s represent subordinate servers respectively
The one in the middle doesn't matter. Anyway, it's one of the three-tier interworking devices
So among them
These three places represent an underlay environment
What do you mean? Pure bottom, they can communicate with each other
VNI of left and right equipment is 1000 respectively
BD of left equipment is 1000
BD of right equipment is 2000
The final requirement is that the left and right equipment can be interconnected
Ip100 on the left PC 1.1.2
Ip100 on the right PC 1.1.1
All gateways are 100.1.1.254
Don't look at the pictures VLAN,sinister PC corresponding VLAN For 100,200 on the right Top left VLAN For 10,20 on the right
As for the underlay at the top, it doesn't matter. Write it casually
By the way
In Huawei's CE level equipment
After entering sys, he will have another wave sign
This means that all configurations made will not take effect
Why? I'm afraid there's something wrong with what you do. You have to commit before it can take effect
CE: enterprise boundary equipment, which can also be used for data center boundary
Of course, there are solutions
This means to enter the effective view immediately, and the commands will be the same as usual
Call the sub interface directly and he will tell you that it doesn't work
The next interface is used as a sub interface to label VLAN s
Then you can only enable the sub interface of layer 2, because the IP is configured to be layer 3
Label the bottom layer
First, make VXLAN and BD in advance
Then remove the mark on the sub interface
Please note that,connect vswitch The interface does not require any configuration,Just open the interface!VLAN Corresponding to Vswitch of VLAN At this point,How many? VLAN,How many sub interfaces are there,This project is also big enough The function of the sub interface is only to VLAN Unpacking
tunnel(VPET)
If our respective work is done well, we need to build a tunnel. That's it
This process is much like writing a tunnel, but there is no need to write a destination
Opposite end:
When the configuration is finished, it is directly connected
This is the effect of VXLAN
Since we are talking about the second floor, the second floor, let's take a look at arp. No problem
The configuration of each equipment is as follows:
Corresponding to this picture
[CE1]dis current-configuration
!Software Version V800R013C00SPC560B560
!Last configuration was updated at 2022-02-21 00:25:00+00:00
!Last configuration was saved at 2022-02-20 23:59:09+00:00
#
sysname CE1
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
vlan batch 10
#
bridge-domain 1000
vxlan vni 1000
#
vni 1000
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
interface Vlanif10
ip address 10.1.1.1 255.255.255.0
#
interface MEth0/0/0
undo shutdown
#
interface GE1/0/0
undo shutdown
#
interface GE1/0/0.10 mode l2
encapsulation dot1q vid 100
bridge-domain 1000
#
interface GE1/0/1
undo shutdown
port default vlan 10
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/3
shutdown
#
interface GE1/0/4
shutdown
#
interface GE1/0/5
shutdown
#
interface GE1/0/6
shutdown
#
interface GE1/0/7
shutdown
#
interface GE1/0/8
shutdown
#
interface GE1/0/9
shutdown
#
interface LoopBack0
ip address 1.1.1.1 255.255.255.0
#
interface Nve1
source 1.1.1.1
vni 1000 head-end peer-list 3.3.3.3
#
interface NULL0
#
ospf 1 router-id 1.1.1.1
area 0.0.0.0
network 1.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
ssh authorization-type default aaa
#
user-interface con 0
#
port-group lin
#
vm-manager
#
return
[CE1]dis ip int br
*down: administratively down
!down: FIB overload down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol VPN
LoopBack0 1.1.1.1/24 up up(s) --
MEth0/0/0 unassigned up down --
NULL0 unassigned up up(s) --
Vlanif10 10.1.1.1/24 up up --
[CE1]dis ip rout
[CE1]dis ip routing-table
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole
route
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.0/24 Direct 0 0 D 1.1.1.1 LoopBack0
1.1.1.1/32 Direct 0 0 D 127.0.0.1 LoopBack0
1.1.1.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
3.3.3.3/32 OSPF 10 2 D 10.1.1.2 Vlanif10
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif10
10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif10
10.1.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif10
20.1.1.0/24 OSPF 10 2 D 10.1.1.2 Vlanif10
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE1]
[CE1]
[CE1]
[CE1]
[CE1]
[CE1]
[CE2]dis current-configuration
!Software Version V800R013C00SPC560B560
!Last configuration was updated at 2022-02-21 00:42:44+00:00
!Last configuration was saved at 2022-02-20 23:58:52+00:00
#
sysname CE2
#
device board 17 board-type CE-MPUB
device board 1 board-type CE-LPUE
#
vlan batch 20
#
bridge-domain 2000
vxlan vni 1000
#
vni 1000
#
aaa
#
authentication-scheme default
#
authorization-scheme default
#
accounting-scheme default
#
domain default
#
domain default_admin
#
interface Vlanif20
ip address 20.1.1.1 255.255.255.0
#
interface MEth0/0/0
undo shutdown
#
interface GE1/0/0
undo shutdown
port default vlan 20
#
interface GE1/0/1
undo shutdown
#
interface GE1/0/1.1 mode l2
encapsulation dot1q vid 200
bridge-domain 2000
#
interface GE1/0/2
undo shutdown
#
interface GE1/0/3
shutdown
#
interface GE1/0/4
shutdown
#
interface GE1/0/5
shutdown
#
interface GE1/0/6
shutdown
#
interface GE1/0/7
shutdown
#
interface GE1/0/8
shutdown
#
interface GE1/0/9
shutdown
#
interface LoopBack0
ip address 3.3.3.3 255.255.255.0
#
interface Nve1
source 3.3.3.3
vni 1000 head-end peer-list 1.1.1.1
#
interface NULL0
#
ospf 1 router-id 3.3.3.3
area 0.0.0.0
network 3.3.3.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
ssh authorization-type default aaa
#
user-interface con 0
#
vm-manager
#
return
[CE2]
[CE2]
[CE2]dis ip int br
[CE2]dis ip int brief
*down: administratively down
!down: FIB overload down
^down: standby
(l): loopback
(s): spoofing
(d): Dampening Suppressed
The number of interface that is UP in Physical is 4
The number of interface that is DOWN in Physical is 0
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 1
Interface IP Address/Mask Physical Protocol VPN
LoopBack0 3.3.3.3/24 up up(s) --
MEth0/0/0 unassigned up down --
NULL0 unassigned up up(s) --
Vlanif20 20.1.1.1/24 up up --
[CE2]
[CE2]
[CE2]dis ip rougt
[CE2]dis ip rou
[CE2]dis ip routing-table
Proto: Protocol Pre: Preference
Route Flags: R - relay, D - download to fib, T - to vpn-instance, B - black hole
route
------------------------------------------------------------------------------
Routing Table : _public_
Destinations : 12 Routes : 12
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 OSPF 10 2 D 20.1.1.2 Vlanif20
3.3.3.0/24 Direct 0 0 D 3.3.3.3 LoopBack0
3.3.3.3/32 Direct 0 0 D 127.0.0.1 LoopBack0
3.3.3.255/32 Direct 0 0 D 127.0.0.1 LoopBack0
10.1.1.0/24 OSPF 10 2 D 20.1.1.2 Vlanif20
20.1.1.0/24 Direct 0 0 D 20.1.1.1 Vlanif20
20.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif20
20.1.1.255/32 Direct 0 0 D 127.0.0.1 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
127.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
255.255.255.255/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[CE2]
[ZHONGXIN]dis ip int br
[ZHONGXIN]dis ip int brief
*down: administratively down
^down: standby
(l): loopback
(s): spoofing
The number of interface that is UP in Physical is 3
The number of interface that is DOWN in Physical is 2
The number of interface that is UP in Protocol is 3
The number of interface that is DOWN in Protocol is 2
Interface IP Address/Mask Physical Protocol
MEth0/0/1 unassigned down down
NULL0 unassigned up up(s)
Vlanif1 unassigned down down
Vlanif10 10.1.1.2/24 up up
Vlanif20 20.1.1.2/24 up up
[ZHONGXIN]dis ip rout
[ZHONGXIN]dis ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 8 Routes : 8
Destination/Mask Proto Pre Cost Flags NextHop Interface
1.1.1.1/32 OSPF 10 1 D 10.1.1.1 Vlanif10
3.3.3.3/32 OSPF 10 1 D 20.1.1.1 Vlanif20
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif10
10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif10
20.1.1.0/24 Direct 0 0 D 20.1.1.2 Vlanif20
20.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif20
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
127.0.0.1/32 Direct 0 0 D 127.0.0.1 InLoopBack0
[ZHONGXIN]
[ZHONGXIN]dis cu
[ZHONGXIN]dis current-configuration
#
sysname ZHONGXIN
#
vlan batch 10 20
#
cluster enable
ntdp enable
ndp enable
#
drop illegal-mac alarm
#
diffserv domain default
#
drop-profile default
#
aaa
authentication-scheme default
authorization-scheme default
accounting-scheme default
domain default
domain default_admin
local-user admin password simple admin
local-user admin service-type http
#
Feb 21 2022 00:48:22-08:00 ZHONGXIN DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011
.5.25.191.3.1 configurations have been changed. The current change number is 1,
the change loop count is 0, and the maximum number of records is 4095.interface
Vlanif1
#
interface Vlanif10
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif20
ip address 20.1.1.2 255.255.255.0
#
interface MEth0/0/1
#
interface GigabitEthernet0/0/1
port link-type access
port default vlan 10
#
interface GigabitEthernet0/0/2
port link-type access
port default vlan 20
#
interface GigabitEthernet0/0/3
#
interface GigabitEthernet0/0/4
#
interface GigabitEthernet0/0/5
#
interface GigabitEthernet0/0/6
#
interface GigabitEthernet0/0/7
#
interface GigabitEthernet0/0/8
#
interface GigabitEthernet0/0/9
#
interface GigabitEthernet0/0/10
#
interface GigabitEthernet0/0/11
#
interface GigabitEthernet0/0/12
#
interface GigabitEthernet0/0/13
#
interface GigabitEthernet0/0/14
#
interface GigabitEthernet0/0/15
#
interface GigabitEthernet0/0/16
#
interface GigabitEthernet0/0/17
#
interface GigabitEthernet0/0/18
#
interface GigabitEthernet0/0/19
#
interface GigabitEthernet0/0/20
#
interface GigabitEthernet0/0/21
#
interface GigabitEthernet0/0/22
#
interface GigabitEthernet0/0/23
#
interface GigabitEthernet0/0/24
#
interface NULL0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
user-interface con 0
user-interface vty 0 4
#
return
[ZHONGXIN]
The rest will not be posted,On the left VLAN100 On the right is VLAN200 Then the upstream port is Trunk Release all PC It corresponds to the same network segment on the left and right IP It's gone stay CE Two can be seen on the device PC of MAC Addressable This is VXLAN Demonstration effect of
SPAN port image (called analyzer on the official website)
SPAN, fully known as Switched Port Analyzer
This is for local packet capture It is also the most commonly used
RSPAN is suitable for remote
What is this R? It stands for Remote, Remote (applicable to layer-2 environment)
Hosted under VLAN
ERSPAN
Encapsulation Remote SPAN can be based on three-tier environment
For the time being, it can only be used for Cisco 6500 series or above or N7K,N9K
however,Mirroring is very memory consuming,Maybe the low-performance equipment will go down
Operation method
Cisco
This is commonly used, especially in the field of security
So Cisco and Huawei both demonstrate
Create a mirror group
First of all, this device has low performance and can only start two image groups
Generally, there are 4 devices, which are set according to the equipment performance manufacturer
At present, the most I have seen is to support 8 image groups
This is just a Group, Group
rx means both up and down
If you don't write it, he will default
Manually specify the source and destination, and you're done
At this point, let's verify (the environment doesn't matter, they all correspond well)
telent
wireshare
You can see through the packet capture that the telnet packet has passed
Grab the bag
The first Frame is the byte behind the data format, which comes from the interface0 interface
Second, layer 2 protocol, source MAC and destination MAC
Third, layer 3, IPV4, source address 10.1.1.2 Destination 10.1.1.1
The fourth, layer 4, TCP sees no, from source port 23, destination port, length, ACK
But the most important thing is to look at the following insulation. There will be data in the content
The password is huawei, which is one of them
You can see everything when you grab a packet. Just read it. There is also a bad place. telnet is in clear text
The current are basically ciphertext, and it's useless to catch them
RSPAN configuration is only for demonstration, not for demonstration
In fact, this is very troublesome, because it requires that each device has the same remote VLAN. It's troublesome not to say wave and waste first
ERSPAN, this can't be demonstrated
The required hardware performance is very high. I don't have this ISO, so I can only give the configuration, which is generally not used. Generally, these high-end devices are used in the data center and IDC
Note: This is only a configuration template. Please modify it yourself On the premise of establishing and interworking
By the way,The technology here will feel belonging NA,Someone will feel belonging NP,Some people will feel belonging IE,This is just the definition of self feeling