Cisco IOS Traffic Exportの設定

Traffic Exportとはパケットをコピーして、指定したMACアドレスに転送する機能です。いわば、ルータ版SPANと考えて差し支えありません。ただし、この機能を使用するとCPUが大幅に上昇するので、実践ではお勧めできません。

スポンサーリンク

コマンド一覧

このシナリオで重要なコマンド一覧は以下の通りです。

Router(config)# ip traffic-export profile <profile>
Router(conf-rite)# interface <interface>
Router(conf-rite)# mac-address <mac-address>
Router(conf-rite)# bidirectional
Router(conf-rite)# incomming [ access-list <acl> | sample one-in-every <num> ]
Router(conf-rite)# outcomming [ access-list <acl> | sample one-in-every <num> ]

Router(config)# interface <interface>
Router(config-if)# ip traffic-export apply <profile>

構成図

以下の構成で動作確認を行います。R1 e0/0はホストOSのLoopback Adaptorと接続されています。

                      +--------+
                      | HostOS |
                      +---+----+
                      .101│Lo
                          │
                        .1│e0/0
    +--------+        +---+----+        +--------+
    |   R2   +--------+   R1   +--------+   R3  | 
    +--------+.2    .1+--------+.1    .3+--------+
            e0/1    e0/1      e0/2    e0/2
          192.168.12.0/24   192.168.13.0/24

    Loopback 0        Loopback 0        Loopback 0
    10.1.1.1/32       10.2.2.2/32       10.3.3.3/32

 [R1]
router rip
 version 2
 timers basic 10 60 60 80
 network 10.0.0.0
 network 192.168.12.0
 network 192.168.13.0
 no auto-summary
!
line vty 0 4
 password cisco
 login

 [R2]
router rip
 version 2
 timers basic 10 60 60 80
 network 10.0.0.0
 network 192.168.12.0
 no auto-summary
!
line vty 0 4
 password cisco
 login

 [R3]
router rip
 version 2
 timers basic 10 60 60 80
 network 10.0.0.0
 network 192.168.13.0
 no auto-summary
!
line vty 0 4
 password cisco
 login

設定全文は下記ファイルです。詳細設定は下記を参照ください。

R1
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R1
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.1.1.1 255.255.255.255
 ip rip advertise 10
!
interface Ethernet0/0
 ip address 192.168.1.1 255.255.255.0
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.12.1 255.255.255.0
 ip rip advertise 10
 half-duplex
!
interface Ethernet0/2
 ip address 192.168.13.1 255.255.255.0
 ip rip advertise 10
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router rip
 version 2
 timers basic 10 60 60 80
 network 10.0.0.0
 network 192.168.12.0
 network 192.168.13.0
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end
R2
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R2
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.2.2.2 255.255.255.255
!
interface Ethernet0/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/1
 ip address 192.168.12.2 255.255.255.0
 half-duplex
!
interface Ethernet0/2
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router rip
 version 2
 network 10.0.0.0
 network 192.168.12.0
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end
R3
!
version 12.4
service timestamps debug datetime msec
service timestamps log datetime msec
no service password-encryption
!
hostname R3
!
boot-start-marker
boot-end-marker
!
enable password cisco
!
no aaa new-model
memory-size iomem 5
!
!
ip cef
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
!
interface Loopback0
 ip address 10.3.3.3 255.255.255.255
!
interface Ethernet0/0
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/1
 no ip address
 shutdown
 half-duplex
!
interface Ethernet0/2
 ip address 192.168.13.3 255.255.255.0
 half-duplex
!
interface Ethernet0/3
 no ip address
 shutdown
 half-duplex
!
!
router rip
 version 2
 timers basic 10 60 60 80
 network 10.0.0.0
 network 192.168.13.0
 no auto-summary
!
ip http server
ip forward-protocol nd
!
!
!
!
!
!
control-plane
!
!
!
!
mgcp behavior g729-variants static-pt
!
!
!
!
!
line con 0
line aux 0
line vty 0 4
 password cisco
 login
!
!
end

仕様説明

必須設定

Traffic Exportを使用するには、以下のような<profile>を定義します。profileとして最低限必要な設定は、コピーしたパケットを出力するI/Fとコピーしたパケットの宛先MACアドレスです。

Router(config)# ip traffic-export profile <profile>
Router(conf-rite)# interface <interface>
Router(conf-rite)# mac-address <mac-address>

以下コマンドで<profile>をどのI/Fに適用するかを指定します。<profile>を指定されたI/Fを経由したパケットがコピーされるようになります。

Router(config)# interface <interface>
Router(config-if)# ip traffic-export apply <profile>

方向の指定

inbound方向のみ収集するかinbound, outbound両方を収集するかを定義する事ができます。明示的な設定がない場合は、inbound方向のみ収集する仕様のようです。

Router(conf-rite)# bidirectional

パケットの絞り込み

収集するパケットを絞り込む事ができます。ACLによる絞り込みとsamplingの2種類の指定が可能です。

Router(conf-rite)# incomming [ access-list <acl> | sample one-in-every <num> ]
Router(conf-rite)# outcomming [ access-list <acl> | sample one-in-every <num> ]

全取得 入力方向

設定投入

R1 e0/0 入力方向のパケットをLoopback Adapterへ転送する設定を投入します。なお、mac-addressは環境に応じて適宜変更して下さい。

 [R1]
ip traffic-export profile ALL_UNIDIRECTION
 interface Ethernet 0/0
 mac-address 0200.4c4f.4f50
 exit
!
interface Ethernet 0/2
 ip traffic-export apply ALL_UNIDIRECTION

動作確認

Host OS側でWiresharkを起動した状態で以下のpingを送信します。

 [R3]
R3#ping 10.2.2.2 source 10.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/72 ms
R3#

確かにpingが転送されている事が確認できます。また、入力方向のみのキャプチャなのでping replyは存在せずping requestのみである事が分かります。

No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    192.168.1.101         192.168.1.255         DB-LSP-DISC 165    Dropbox LAN sync Discovery Protocol
      2 2.374978    cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply
      3 4.374391    192.168.13.3          224.0.0.9             RIPv2    66     Response
      4 12.376809   cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply
      5 14.283873   192.168.13.3          224.0.0.9             RIPv2    66     Response
      6 18.950719   10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0000, seq=0/0, ttl=254
      7 19.004025   10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0000, seq=1/256, ttl=254
      8 19.044092   10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0000, seq=2/512, ttl=254
      9 19.084074   10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0000, seq=3/768, ttl=254
     10 19.144598   10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0000, seq=4/1024, ttl=254
     11 22.363784   cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply
     12 23.103708   192.168.13.3          224.0.0.9             RIPv2    66     Response
     13 30.044118   192.168.1.101         192.168.1.255         DB-LSP-DISC 165    Dropbox LAN sync Discovery Protocol
     14 32.354455   cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply
     15 32.503403   192.168.13.3          224.0.0.9             RIPv2    66     Response
     16 41.003169   192.168.13.3          224.0.0.9             RIPv2    66     Response
     17 42.383401   cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply

全取得 両方向

設定投入

R1 e0/0 両方向のパケットをLoopback Adapterへ転送する設定を投入します。

 [R1]
ip traffic-export profile ALL_BIDIRECTION
 interface Ethernet 0/0
 mac-address 0200.4c4f.4f50
 bidirectional
 exit
!
interface Ethernet 0/2
 no ip traffic-export apply ALL_BIDIRECTION
 ip traffic-export apply ALL_BIDIRECTION

動作確認

Host OS側でWiresharkを起動した状態で以下のpingを送信します。

 [R3]
R3#ping 10.2.2.2 source 10.3.3.3

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 40/56/72 ms
R3#

先程の結果と異なり両方向のキャプチャなので、ping reply, ping requestが確認できます。

No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    fe80::59a1:3dc7:472a:736f ff02::1:2             DHCPv6   150    Solicit XID: 0xe43fcf CID: 0001000116cd91606480994c3800 
      2 1.640932    192.168.13.3          224.0.0.9             RIPv2    66     Response
      3 2.000287    fe80::59a1:3dc7:472a:736f ff02::1:2             DHCPv6   150    Solicit XID: 0xe43fcf CID: 0001000116cd91606480994c3800 
      4 4.800414    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0003, seq=0/0, ttl=254
      5 4.850117    10.2.2.2              10.3.3.3              ICMP     114    Echo (ping) reply    id=0x0003, seq=0/0, ttl=254
      6 4.880096    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0003, seq=1/256, ttl=254
      7 4.909996    10.2.2.2              10.3.3.3              ICMP     114    Echo (ping) reply    id=0x0003, seq=1/256, ttl=254
      8 4.930340    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0003, seq=2/512, ttl=254
      9 4.950124    10.2.2.2              10.3.3.3              ICMP     114    Echo (ping) reply    id=0x0003, seq=2/512, ttl=254
     10 4.970564    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0003, seq=3/768, ttl=254
     11 4.990306    10.2.2.2              10.3.3.3              ICMP     114    Echo (ping) reply    id=0x0003, seq=3/768, ttl=254
     12 5.010250    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0003, seq=4/1024, ttl=254
     13 5.030016    10.2.2.2              10.3.3.3              ICMP     114    Echo (ping) reply    id=0x0003, seq=4/1024, ttl=254
     14 5.999837    fe80::59a1:3dc7:472a:736f ff02::1:2             DHCPv6   150    Solicit XID: 0xe43fcf CID: 0001000116cd91606480994c3800 
     15 6.320658    cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply

ACLによる絞込み

設定投入

telnetのみをLoopback Adapterへ転送する設定を投入します。

 [R1]
ip access-list extended ACL_TELNET
 10 permit tcp any any eq telnet
 20 permit tcp any eq telnet any
!
ip traffic-export profile TELNET
 interface Ethernet 0/0
 mac-address 0200.4c4f.4f50
 bidirectional
 incoming access-list ACL_TELNET
 outgoing access-list ACL_TELNET
 exit
!
interface Ethernet 0/2
 no ip traffic-export apply ALL_BIDIRECTION
 ip traffic-export apply TELNET

動作確認

Host OS側でWiresharkを起動した状態で、pingとtelnetのトラフィックを発生されます。

 [R3]
R3#ping 10.2.2.2 source Loopback 0

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 32/57/104 ms
R3#
R3#telnet 10.2.2.2 sou
R3#telnet 10.2.2.2 /sou
R3#telnet 10.2.2.2 /source-interface Lo
R3#telnet 10.2.2.2 /source-interface Loopback 0
Trying 10.2.2.2 ... Open


User Access Verification

Password:
R2>

pingは確認できず、telnetのみが確認できます。

No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply
      2 8.545486    192.168.1.101         192.168.1.255         DB-LSP-DISC 165    Dropbox LAN sync Discovery Protocol
      3 8.779151    10.3.3.3              10.2.2.2              TCP      60     13247 > telnet [SYN] Seq=0 Win=4128 Len=0 MSS=536
      4 8.868254    10.2.2.2              10.3.3.3              TCP      60     telnet > 13247 [SYN, ACK] Seq=0 Ack=1 Win=4128 Len=0 MSS=536
      5 8.919208    10.3.3.3              10.2.2.2              TCP      60     13247 > telnet [ACK] Seq=1 Ack=1 Win=4128 Len=0
      6 8.919400    10.3.3.3              10.2.2.2              TELNET   63     Telnet Data ...
      7 8.928401    10.3.3.3              10.2.2.2              TCP      60     [TCP Dup ACK 6#1] 13247 > telnet [ACK] Seq=10 Ack=1 Win=4128 Len=0
      8 8.958629    10.2.2.2              10.3.3.3              TELNET   66     Telnet Data ...
      9 8.958878    10.2.2.2              10.3.3.3              TELNET   96     Telnet Data ...

        <omitted>

     25 10.598379   10.3.3.3              10.2.2.2              TELNET   60     Telnet Data ...
     26 10.648326   10.2.2.2              10.3.3.3              TELNET   60     Telnet Data ...
     27 10.858775   10.3.3.3              10.2.2.2              TCP      60     13247 > telnet [ACK] Seq=32 Ack=72 Win=4057 Len=0

サンプリング

設定投入

R1 e0/0 両方向のパケットの一部をLoopback Adapterへ転送する設定を投入します。入力方向は2回に1回、出力方向は5回に1回キャプチャします。

 [R1]
ip traffic-export profile SAMPLE
 interface Ethernet 0/0
 mac-address 0200.4c4f.4f50
 bidirectional
 incoming sample one-in-every 2
 outgoing sample one-in-every 5
 exit
!
interface Ethernet 0/2
 no ip traffic-export apply TELNET
 ip traffic-export apply SAMPLE

動作確認

Host OS側でWiresharkを起動した状態で以下のpingを10回送信します。

 [R3]
R3#ping 10.2.2.2 source Loopback 0 repeat 10

Type escape sequence to abort.
Sending 10, 100-byte ICMP Echos to 10.2.2.2, timeout is 2 seconds:
Packet sent with a source address of 10.3.3.3
!!!!!!!!!!
Success rate is 100 percent (10/10), round-trip min/avg/max = 20/47/128 ms
R3#

ping requestが2回に1回(計5回)、ping replyが5回に1回(計2回)観測されました。

No.     Time        Source                Destination           Protocol Length Info
      1 0.000000    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0004, seq=0/0, ttl=254
      2 0.178170    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0004, seq=2/512, ttl=254
      3 0.258556    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0004, seq=4/1024, ttl=254
      4 0.278418    10.2.2.2              10.3.3.3              ICMP     114    Echo (ping) reply    id=0x0004, seq=4/1024, ttl=254
      5 0.330851    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0004, seq=6/1536, ttl=254
      6 0.390718    10.3.3.3              10.2.2.2              ICMP     114    Echo (ping) request  id=0x0004, seq=8/2048, ttl=254
      7 0.438078    10.2.2.2              10.3.3.3              ICMP     114    Echo (ping) reply    id=0x0004, seq=9/2304, ttl=254
      8 0.898785    cc:00:12:94:00:00     cc:00:12:94:00:00     LOOP     60     Reply
      9 2.039554    192.168.13.3          224.0.0.9             RIPv2    66     Response
     10 6.539661    cc:00:12:94:00:00     CDP/VTP/DTP/PAgP/UDLD CDP      335    Device ID: R1  Port ID: Ethernet0/0  
タイトルとURLをコピーしました