所以我们在这里有一个奇怪的设置。在我工作的地方,我们有两台 Nexus 9k 交换机运行我们的核心网络 - 分别命名为 A 和 B,它们有跨接端口,将流量发送到 Catalyst 2960-X,后者又中继到另一个系统进行流量监控(只有一个不幸的是,网卡)
最初,我们在 VLAN 1000 的 Catalyst 交换机中使用中间 VLAN 来尝试以一种可以正确检测并传递给流量监控系统的方式传递流量,这样端口 46、46 和 47 都具有:
switchport mode access
switchport access vlan 1000
......这很有效。但是,在移动到新的数据中心后,保持端口连接相同,这不再有效。
我们还尝试将其作为 Catalyst 本地 SPAN 端口,如图所示,在取消配置交换机端口访问模式以直接进入 SPAN 行为之后:
VLAN/访问端口方法和 SPAN 方法似乎都无法将流量传递到监控系统。来自show int gig 1/0/45或show int gig 1/0/46在 Catalyst 上的接口统计数据显示流量增加和接收的数据包数量随着数据包计数器的不断增加而不断增加。但是,这不再通过 Cataylst 中的 SPAN 将流量中继到端口 48 - 它的计数器显示零数据包活动,并且下游流量监控系统发现没有流量通过该端口。
任何人都知道我们如何让这项工作再次发挥作用?流量监控系统是一个专用设备,只有一个上行链路端口,因此我们不能在方程式中添加一个额外的 NIC,以通过单独的 NIC 将流量从每个交换机直接泵送到流量监控器,不幸的是......
催化剂跨度配置:
monitor session 1 source int gig 1/0/45 both
monitor session 1 source int gig 1/0/46 both
monitor session 1 dest int gig 1/0/48
Nexus 本地跨度配置(两者相同,请注意这不是 RSPAN 设置):
monitor session 1
source vlan 20-21,121,150,160,270,300,400,500 both
destination interface Ethernet1/15
no shut
请注意,我们可以根据 Catalyst 端口 45 和 46 上的“接收”速率确认流量来自NEXUS 并到达 Catalyst 上的端口 45 和 46,它只是没有将流量传递到 Catalyst 上的跨端口 48从这两个端口。
另请注意,VLAN 1000 不存在于网络上的其他任何地方,并且此时不可用;交换机端口配置被删除以access尝试使用标准 SPAN,尽管这两种机制都不起作用。(VLAN 1000 被用作纯交换机内部 VLAN,试图欺骗系统将未标记的数据包从 Nexuses 传递到监控系统所在的端口)
show monitor session 1 detail在催化剂上请求的输出:
#show monitor session 1 detail
Session 1
---------
Type : Local Session
Description : -
Source Ports :
RX Only : None
TX Only : None
Both : Gi1/0/45-46
Source VLANs :
RX Only : None
TX Only : None
Both : None
Source RSPAN VLAN : None
Destination Ports : Gi1/0/48
Encapsulation : Native
Ingress : Disabled
Filter VLANs : None
Dest RSPAN VLAN : None
当前运行的 Catalyst 2960-X 配置show run(部分清理以隐藏敏感信息):
Current configuration : 8036 bytes
!
! Last configuration change at 17:13:19 UTC Thu Apr 4 2019 by admin
! NVRAM config last updated at 16:20:59 UTC Mon Apr 1 2019 by admin
!
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime msec
service password-encryption
!
hostname catalyst
!
boot-start-marker
boot-end-marker
!
!
[username data snipped]
aaa new-model
!
!
aaa authentication login default local
aaa authentication enable default none
aaa authorization commands 15 default local
!
!
!
!
!
!
aaa session-id common
switch 1 provision ws-c2960x-48fps-l
!
!
!
!
!
!
!
!
!
crypto pki trustpoint TP-self-signed-2307906176
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-2307906176
revocation-check none
rsakeypair TP-self-signed-2307906176
!
!
crypto pki certificate chain TP-self-signed-2307906176
certificate self-signed 01
[SNIP]
quit
spanning-tree mode pvst
spanning-tree extend system-id
!
!
!
!
vlan internal allocation policy ascending
!
!
!
!
!
!
!
!
!
!
!
interface FastEthernet0
no ip address
!
interface GigabitEthernet1/0/1
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/2
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/3
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/4
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/5
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/6
description exagrid mgmt
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/7
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/8
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/9
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/10
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/11
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/12
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/13
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/14
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/15
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/16
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/17
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/18
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/19
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/20
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/21
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/22
description WAN Switch
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/23
description Core 9K A
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/24
description Core 9K B
switchport access vlan 255
switchport mode access
!
interface GigabitEthernet1/0/25
description UPLINK TO MGT NETWORK
switchport trunk allowed vlan 255
switchport mode trunk
!
interface GigabitEthernet1/0/26
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/27
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/28
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/29
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/30
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/31
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/32
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/33
description esx500 console
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/34
description esx501 Console
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/35
description esx502 Console
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/36
description esx503 Console
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/37
description esx504 Console
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/38
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/39
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/40
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/41
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/42
switchport access vlan 255
switchport mode access
spanning-tree portfast
!
interface GigabitEthernet1/0/43
!
interface GigabitEthernet1/0/44
!
interface GigabitEthernet1/0/45
description Core A Monitor Port
!
interface GigabitEthernet1/0/46
description Core B Monitor Port
!
interface GigabitEthernet1/0/47
!
interface GigabitEthernet1/0/48
description Monitor Ports to Monitoring System
!
interface GigabitEthernet1/0/49
!
interface GigabitEthernet1/0/50
!
interface GigabitEthernet1/0/51
!
interface GigabitEthernet1/0/52
!
interface Vlan1
no ip address
!
interface Vlan255
ip address 10.1.255.21 255.255.255.0
!
interface Vlan1000
description SPAN collection
no ip address
!
ip http server
ip http secure-server
!
!
!
!
!
!
!
line con 0
line vty 0 4
timeout login response 300
transport input telnet ssh
line vty 5 15
timeout login response 300
transport input telnet ssh
!
!
monitor session 1 source interface Gi1/0/45 - 46
monitor session 1 destination interface Gi1/0/48
end
根据评论,您似乎没有在交换机的 VLAN 数据库中创建 VLAN。
不使用 global
vlan命令为独立交换机创建 VLAN 是常见的问题来源。使用中继的交换机通常启用 VTP,并且 VLAN 数据库将由 VTP 填充。对于独立交换机和 VTP 透明模式的交换机,您需要确保创建交换机上使用的 VLAN。这似乎解决了你的问题。