Network Monitoring Configuration Guide

mirror mirror introduction introduction mirror is a network management technology commonly used for network detection, traffic analysis, and troubleshooting with the mirroring function, traffic at one or more ports on a switch can be copied to the destination port of the mirror and sent out for analysis and monitoring of the traffic on the mirrored port basic concepts basic concepts the switch currently supports two mirroring methods span and erspan span span span refers to a mirroring configuration where the source and destination ports are on the same switch in this configuration, the switch copies the data traffic from the specified source port (mirror source) to another port (destination port) on the same switch and forwards it the source and destination ports of this mirror are both on the same switch, making the configuration relatively simple and not involving device network connections support mirroring traffic from one or more source ports to the destination port erspan erspan erspan refers to a mirroring configuration where the source and destination ports are located on different switches in this configuration, the switch replicates the data traffic from the specified source port to the destination port on the remote switch through a layer three protocol this type of image needs to be forwarded through an ip address, and the configuration is relatively complex remote mirroring needs to be used in conjunction with acl policies mirror v4 acl match field support is as follows table 1 mirror v4 acl match fields table 1 mirror v4 acl match fields true 263,343left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type mirror v6 acl match field support is as follows table 2 mirror v6 acl match fields table 2 mirror v6 acl match fields true 303,303left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type span span configuration configuration when configuring span, it supports configuring one or more source ports for simultaneous mirroring, but supports configuring one destination port table 3 configure span table 3 configure span true 160,206,240left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type erspan erspan configuration configuration table 4 configure erspan table 4 configure erspan true 185,189 4020501138952,231 5979498861048left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type display and maintenance display and maintenance table 5 display and maintenance table 5 display and maintenance true 236,185,185left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type typical configuration example typical configuration example network requirements a certain pc1, with an ip of 10 0 0 2, passes through a switch and achieves mutual access with pc2, with an ip of 20 0 0 2 now it is necessary to monitor the traffic sent by pc1 to pc2 on the server, and obtain the traffic sent by pc1 without affecting the business topology procedure \#configure interface ip address sonic(config)# interface ethernet 0/60 sonic(config if 0/60)# ip address 60 0 0 1/24 \#configure erspan sonic# configure sonic(config)# mirror session 1 type erspan sonic(config erspan mirror 1)# origin ip address 60 0 0 1 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# destination ip address 60 0 0 2 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# ip ttl 40 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# ip dscp 24 please enter 'commit' to make mirror session command take effect sonic(config erspan mirror 1)# commit \#configure acl policy sonic# configure sonic(config)# access list test1 mirror ingress sonic(config mirror acl test1)# bind interface ethernet 0/0 sonic(config mirror acl test1)# rule 1 source ip 10 0 0 2 action mirror session 1 server sonic# configure sonic(config)# interface ethernet 0/24 sonic(config if 0/24)# ip address 60 0 0 2 configuration verification sonic# show mirror erspan sessions name status src ip dst ip gre dscp ttl queue policer monitor port src port direction \ 1 active 60 0 0 1 60 0 0 2 24 40 0/60 span sessions name status dst port src port direction queue policer \ sonic# show acl rule table rule priority action match \ test1 rule 1 1001 mirror ingress 1 src ip 10 0 0 2 traffic verification pc1 streams to pc2 and receives mirrored traffic on the server, which is the traffic sent by pc1 sflow sflow introduction introduction sflow (sampled flow) is a network traffic monitoring technology based on packet sampling, mainly used for statistical analysis of network traffic basic concepts basic concepts sflow system sflow system the sflow system consists of several sflow agents (embedded in forwarding device such as switch or router) and a core sflow collector, as shown in figure below sflow agents use specific sampling techniques to obtain statistics and packet information about the interface the sflow packets are encapsulated in udp packets and sent to the designated sflow collector for analysis by the collector when the buffer holding the sflow packets is full or when the sflow packet delivery timer (timer interval is fixed at 1 second) times out, helping network administrators to manage the network traffic of entire site (usually an enterprise site) more effectively by generating flow views or reports to display the results sflow sample sflow sample sflow agent provides two sampling methods for users to analyze network traffic conditions from different perspectives, namely flow sampling and counter sampling flow sample is used by the sflow agent device to sample and analyze packets on a specified interface according to a specific sampling direction and sampling ratio, and is used to obtain information about the data content of the packets this sampling method focuses on the details of the flow so that it can monitor and analyze popular behavior on the network counter sampling is the sflow agent device that periodically obtains traffic statistics on interfaces in contrast to flow sampling, counter sampling focuses only on the number of flows on interfaces and not on the details of the flows default sflow configuration default sflow configuration the default configuration of sflow is shown in the table below table 6 sflow default configuration table 6 sflow default configuration true 167,439left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type sflow configuration sflow configuration table 7 overview of sflow configuration tasks table 7 overview of sflow configuration tasks true 220,220,221 left #4283c7 2 1 unhandled content type left #4283c7 unhandled content type left 2 1 unhandled content type left 1 1 unhandled content type left #d8e5f5 2 1 unhandled content type left #d8e5f5 1 1 unhandled content type left 2 1 unhandled content type left 1 1 unhandled content type enable sflow enable sflow table 8 enable sflow table 8 enable sflow true 263,171 5,171 5left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type note when sflow is enabled, the interface sflow is all enabled by default configure the sflow collector configure the sflow collector sflow needs to be enabled before configuration the source interface and source ip of sflow collector cannot be configured at the same time table 9 configure the sflow collector table 9 configure the sflow collector true 156,200,250left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type configure sflow for interface configure sflow for interface table 10 interface sflow configuration table 10 interface sflow configuration true 156,156,294left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type display and maintenance display and maintenance table 10 sflow display and maintenance table 10 sflow display and maintenance true 254,213 05263157894737,138 94736842105263left #4283c7 unhandled content type left #4283c7 unhandled content type left #4283c7 unhandled content type left unhandled content type left unhandled content type left unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type left #d8e5f5 unhandled content type typical configuration example typical configuration example configure the sflow collector configure the sflow collector network requirements tc1 and tc2 communicate via switch management and maintenance personnel require viewing traffic information, forwarding status on interface 0/0, and the overall operational status of the device this enables timely detection of abnormal traffic, thereby ensuring normal and stable network operation topology procedure \#configure the interface ip dut sonic# config terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 10 0 0 2/24 server sonic# config terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# ip address 10 0 0 3/24 \#configure sflow collector on switch sonic# config terminal sonic(config)# sflow enable sonic(config)# sflow collector 1 10 0 0 3 6345 \#configure the polling interval (optional) sonic# config terminal sonic(config)# sflow polling interval 30 \#configure the sampling rate (optional) sonic# config terminal sonic(config)# interface ethernet 0/0 sonic(config if 0/0)# sflow sample rate 80000 verify the configuration \#configuration verification sonic(config)# show sflow sflow global information sflow admin state up sflow polling interval default sflow agentid default 1 collectors configured name 1 ip addr 10 0 0 3 udp port 6345 sonic# show sflow interface ethernet 0/0 + + + + \| interface | admin state | sampling rate | +=============+===============+=================+ \| 0/0 | up | 80000 | + + + + \#flow verification tc1 streams to tc2 at wire speed, capturing packets on the corresponding interface of server server can receive sflow packets with destination port 6345