Traffic Export
原始 IP 流量导出(RawIP Traffic Export)是一个轻量级的思科 IOS 软件特性,用于将到达到离开网络设备的 IP 数据包导出到外部设备,
IP Traffic Export
。它使用指定的局域网接口来导出所捕获的 IP 数据包。其目标是将原始 IP 数据包以未修改的格式导出到指定设备(比如说数据包分析程序或 IDS 设备)。原始 IP 流量导出的特性包括:
1. 通过过滤功能(使用 ACL),可以只导出感兴趣的流量。
2. 采样选项可以减少流量输出量。
3. 使用与目标主机相关的 MAC、802.1q 或者交换机间链路(Inter-Switch Link,ISL)地址(而不是 IP 地址)来指定执行导出的以太网端口。
4. 当特性激活或禁用时设置 syslog 信息。
Configuration
wKiom1XZNoziJMX4AABQQgrIe0Y185.jpg
Router(config)#iptraffic-export profile CCIE
Router(conf-rite)# interface FastEthernet0/0
Router(conf-rite)# bidirectional
Router(conf-rite)#mac-address 0200.4C4F.4F50
Router(config)#interfaceFastEthernet0/1
Router(config-if)#ip address 192.168.1.1 255.255.255.0
Router(config-if)#ip traffic-export apply CCIE
验证配置
Router#show ip traffic-export
Router IP Traffic ExportParameters
Monitored Interface FastEthernet0/1
Export Interface FastEthernet0/0
Destination MAC address 0200.4c4f.4f50
bi-directional traffic export is on
Output IP Traffic ExportInformation Packets/BytesExported 0/0
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Input IP Traffic ExportInformation Packets/BytesExported 14/1400
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Profile CCIE is Active
Snifer设备获取到流量
Frame417: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0
EthernetII, Src: 02:00:4c:4f:4f:50 (02:00:4c:4f:4f:50), Dst: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)
Destination: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)
Source: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)
Type: IP (0x0800)
InternetProtocol Version 4, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.1(192.168.1.1)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
Total Length: 100
Identification: 0x0011 (17)
Flags: 0x00
Fragment offset: 0
Time to live: 254
Protocol: ICMP (1)
Header checksum: 0x392c [correct]
Source: 192.168.1.10 (192.168.1.10)
Destination: 192.168.1.1 (192.168.1.1)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
InternetControl Message Protocol
Type: 8 (Echo (ping) request)
Code: 0
Checksum: 0xeefd [correct]
Identifier (BE): 5 (0x0005)
Identifier (LE): 1280 (0x0500)
Sequence number (BE): 0 (0x0000)
Sequence number (LE): 0 (0x0000)
Data (72 bytes)
使用ACL过滤流量
Router(config)#ip access-listextended telnet
Router(config-ext-nacl)#permittcp any any eq telnet
Router(config)#ip traffic-exportprofile CCIE
Router(conf-rite)#interfaceFastEthernet0/0
Router(conf-rite)#incomingaccess-list telnet
Router(conf-rite)#mac-address0200.4C4F.4F50
Router(config)#interfaceFastEthernet0/1
Router(config-if)# ip address192.168.1.1 255.255.255.0
Router(config-if)# iptraffic-export apply CCIE
验证配置
Router#show ip traffic-export
Router IP Traffic ExportParameters
Monitored Interface FastEthernet0/1
Export Interface FastEthernet0/0
Destination MAC address 0200.4c4f.4f50
bi-directional traffic export is on
Output IP Traffic ExportInformation Packets/BytesExported 0/0
Packets Dropped 0
Sampling Rate one-in-every 1 packets
No Access List configured
Input IP Traffic ExportInformation Packets/BytesExported 45/1865
Packets Dropped 115
Sampling Rate one-in-every 1 packets
AccessList telnet [named extended IP]
Profile CCIE is Active
http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_rawip.html