镜像ping端口

H3CCAS端口镜像特性操作指导书Copyright2015杭州华三通信技术有限公司版权所有,保留一切权利.
非经本公司书面许可,任何单位和个人不得擅自摘抄、复制本文档内容的部分或全部,并不得以任何形式传播.
本文档中的信息可能变动,恕不另行通知.
i目录1简介·······························································································································12产品规格·························································································································12.
1规格列表······················································································································12.
2规格约束······················································································································13配置前提·························································································································24配置环境·························································································································24.
1服务器·························································································································24.
2软件···························································································································25配置指导·························································································································25.
1组网需求······················································································································25.
2准备工作······················································································································35.
2.
1准备测试虚拟机····································································································35.
2.
2准备测试网络与工具······························································································55.
3测试步骤······················································································································65.
3.
1配置端口镜像策略·································································································65.
3.
2验证入方向端口镜像策略························································································95.
3.
3验证出方向端口镜像策略······················································································105.
3.
4验证双向端口镜像策略·························································································1211简介本文档介绍H3CCAS端口镜像特性的使用方法和操作步骤.
端口镜像通过将指定端口的报文复制到与数据监测设备相连的端口,使用户可以利用数据监测设备分析这些复制过来的报文,以进行网络监控和故障排除.
在端口镜像中,有几个基本概念,分别是镜像源、镜像目的、镜像方向和镜像VLANID.
(1)镜像源:指被监控的对象,在虚拟化应用中,该对象就是虚拟机的虚拟网卡.
经由被监控对象收发的报文会被复制一份到与数据监测设备(或虚拟机)相连的端口,用户就可以对这些报文(称之为镜像报文)进行监控和分析了.
(2)镜像目的:指镜像报文所要达到的目的地,即与数据监测设备相连的那个端口.
(3)镜像方向:指在虚拟交换机上可复制的报文方向,包括:入方向:指仅复制虚拟机指定端口发送到虚拟交换机的报文.
出方向:指仅复制虚拟交换机发送到虚拟机指定端口的报文.
双向:指对虚拟交换机收到和发出的报文都进行复制.
(4)镜像VLAN:将镜像报文从源端口传送到目的端口时专用的VLAN,用于跨主机镜像(即镜像源和镜像目的不在同一个物理主机)时,隔离镜像报文和业务报文.
镜像报文在源虚拟交换机上封装VLAN标签,邻接物理交换机上透传并在VLAN内广播该报文,镜像目的所在的虚拟交换机接收到该报文之后,剥除镜像VLAN,将报文发送给相同VLAN配置的目的虚拟机的虚拟网卡.
2产品规格2.
1规格列表一级规格二级规格说明虚拟交换机端口镜像支持将一个或多个镜像源的IP报文镜像到指定的镜像目的.
支持入方向、出方向或入出双方向配置.
支持主机内和跨主机的虚拟机端口流量镜像.
2.
2规格约束(1)镜像VLANID不允许与业务VLANID重复,不同镜像策略的镜像VLANID也不允许重复.
(2)不支持VLANID为1的虚拟端口配置镜像功能,因为如果配置了两组VLANID为1的端口镜像,可能出现报文环路,导致网络故障.
(3)跨主机端口镜像时,要求中间设备必须允许镜像VLAN通过,并关闭该VLANID的MAC地址学习功能,以确保镜像源与镜像目的之间的二层网络畅通,同时,必须确保镜像报文从源到达目的的过程中,其VLANID不被修改或删除,否则跨主机镜像功能将失效.
2(4)在刀片环境中,由于刀片服务器与外部接入交换机之间有VC模块,而VC模块无法处理镜像VLAN报文,导致镜像功能失效.
因此,暂时不支持刀片环境下的端口镜像功能.
3配置前提本文档中的配置均是在实验室环境下进行的配置和验证,配置前服务器和软件的所有参数均采用出厂时的缺省配置.
如果您已经对被测试对象进行了配置,为了保证配置效果,请确认现有配置和以下举例中的配置不冲突.
4配置环境4.
1服务器本文档不严格与具体硬件服务器型号对应,如果使用过程中与产品实际情况有差异,请参考相关产品手册,或以设备实际情况为准.
本文档使用的服务器型号与配置如下表所示,该环境不作为实际部署时的强制环境或推荐环境,只需要服务器能够兼容H3CCAS云计算管理平台即可完成本配置.
配置项说明服务器#1(H3CCASCVM虚拟化管理平台)H3CFlexServerR390CPU:2路8核,IntelXeonE5-26500@2.
00GHz内存:32GB服务器#2(H3CCASCVK虚拟化内核系统)H3CFlexServerB390CPU:2路6核,IntelXeonE5-26200@2.
00GHz内存:32GB4.
2软件软件版本服务器虚拟化管理软件H3CCAS-E0216(KVMKernel3.
13.
6)虚拟机操作系统WindowsServer2008R2数据中心版64位数据监测软件WiresharkV1.
12.
1(64位)5配置指导5.
1组网需求验证H3CCAS端口镜像功能的逻辑组网拓扑图如下所示.
3图1端口镜像功能测试组网逻辑拓扑图(1)在H3CCASCVK虚拟化内核系统上安装三个虚拟机,其中VM#1和VM#3分别为镜像源和镜像目的,VM#1和VM#2用作Ping测试虚拟机.
(2)在虚拟交换机上配置流量镜像策略,将虚拟交换机入方向(即从VM#1的vNIC发送到虚拟交换机)的网络流量(红色虚线1A)镜像到数据监测软件(红色虚线1B).
(3)在VM#1上PingVM#2,在镜像目的虚拟机VM#3上,通过Wireshark抓包软件,验证是否只观察到源IP为VM#1,目的IP为VM#2的ICMPRequest报文.
(4)在虚拟交换机上修改流量镜像策略,对虚拟交换机出方向(即从虚拟交换机发送到VM#1的vNIC)的网络流量(蓝色虚线2A)镜像到数据检测软件(蓝色虚线2B).
(5)在VM#2上PingVM#1,在镜像目的虚拟机VM#3上,通过Wireshark抓包软件,验证是否只观察到源IP为VM#2,目的IP为VM#1的ICMPRequest报文.
(6)在虚拟交换机上修改流量镜像策略,对虚拟交换机双向(即从虚拟交换机发送到VM#1的vNIC以及从VM#1的vNIC接收)的网络流量(绿色虚线3A)镜像到数据检测软件(绿色虚线3B).
(7)在VM#1上PingVM#2,在镜像目的虚拟机VM#3上,通过Wireshark抓包软件,验证是否同时观察到源IP为VM#1,目的IP为VM#2的ICMPRequest报文,以及源IP为VM#2,目的IP为VM#1的ICMPReply报文.
5.
2准备工作5.
2.
1准备测试虚拟机步骤1系统管理员登录H3CCASCVM虚拟化管理平台(服务器#1),在H3CCASCVK虚拟化内核系统(服务器#2)上创建1个新的虚拟机(VM),虚拟机主要配置如下表所示.
4资源大小vCPU2核vMem4GBvDisk1*20GB(Virtio,本地磁盘)vNIC1(Virtio,启用内核加速)虚拟交换机vSwitch0(管理口)上述虚拟机资源配置仅为测试环境下的配置,不作为生产环境中业务虚拟机的推荐配置.
生产环境中的虚拟机配置应该根据业务本身对CPU、内存、磁盘和网卡等资源的实际需求进行评估和测试后最终确定.
步骤2通过控制台(VNC)为虚拟机安装WindowsServer2008R2数据中心版64位操作系统.
图2为虚拟机安装操作系统步骤3虚拟机操作系统安装成功之后,关闭操作系统默认开启的防火墙功能.
步骤4正常关闭虚拟机,将虚拟机转换为虚拟机模板.
步骤5通过虚拟机模板,依次部署3个测试虚拟机VM#1~VM#3.
5图3基于虚拟机模板部署测试虚拟机5.
2.
2准备测试网络与工具步骤1配置测试虚拟机IP地址.
#在H3CCASCVM虚拟化管理平台上,通过控制台(VNC)配置VM#1~VM#3的IP地址.
虚拟机序号名称用途IP地址VM#1PingSource镜像源,同时作为Ping业务的一端.
192.
168.
0.
231VM#2PingDestPing业务的另一端.
192.
168.
0.
232VM#3Monitor镜像目的,通过监控软件验证镜像结果的正确性.
192.
168.
0.
238H3CCASCVM虚拟化管理平台支持通过界面直接设置虚拟机的IP地址和掩码等网络参数,但要求虚拟机上必须已经按照CAStools工具.
#配置完成之后,通过虚拟机操作系统的命令行窗口或PowerShell工具,在各个虚拟机之间互相发送Ping报文,确保网络可达.
6如果IP地址已经配置成功,但是虚拟机之间无法相互Ping通,可能的原因是虚拟机操作系统开启了防火墙,默认禁止Ping报文入出.
此时,可以尝试关闭操作系统中的防火墙配置.
步骤2在镜像目的虚拟机(VM#3)操作系统内,安装WiresharkV1.
12.
1抓包软件.
5.
3测试步骤5.
3.
1配置端口镜像策略步骤1系统管理员登录H3CCASCVM虚拟化管理平台,在导航窗格中选中主机,在右侧配置窗口中,点击标签页,选择业务虚拟机使用的虚拟交换机,并点击表格行末的按钮.
图4端口镜像策略配置入口步骤2在弹出的"高级设置"对话框中,点击"端口镜像"选项,在右侧配置窗口中,点击按钮,启动端口镜像策略配置向导.
#输入端口镜像策略名称和镜像VLANID,选择方向为"入方向",点击按钮.
7图5端口镜像策略配置向导第一步#选择VM#1作为虚拟机镜像源,点击按钮.
图6端口镜像策略配置向导第二步#配置VM#3作为镜像目的虚拟机,点击按钮.
8图7端口镜像策略配置向导第三步#确认配置之后,点击按钮.
图8端口镜像策略配置向导第四步95.
3.
2验证入方向端口镜像策略步骤1在VM#1上通过命令行窗口PingVM#2.
图9以Ping(ICMP)报文模拟业务流量步骤2验证入方向端口镜像策略是否生效.
图10通过Wireshark抓包工具验证入方向端口镜像策略10因为从VM#1发送到VM#2的ICMPRequest报文经过虚拟交换机的时候,对虚拟交换机而言,该报文是从VM#1虚拟网卡方向入的报文,因此,虚拟交换机匹配到入方向端口镜像策略之后,应将该报文镜像到镜像目的.
在VM#3虚拟机上,通过Wireshark抓包接口可以看出,VM#1发送到VM#2的4个ICMPRequest报文被成功镜像到VM#3的虚拟网卡上,源IP地址为VM#1虚拟网卡的IP地址,目的IP地址为VM#2虚拟网卡的IP地址.
5.
3.
3验证出方向端口镜像策略步骤1在H3CCASCVM虚拟化管理平台中,修改虚拟交换机上的端口镜像策略方向为出方向,其余配置保持不变.
图11修改端口镜像策略方向为出方向步骤2在VM#2上通过命令行窗口PingVM#1.
11图12以Ping(ICMP)报文模拟业务流量步骤3验证出方向端口镜像策略是否生效.
图13通过Wireshark抓包工具验证出方向端口镜像策略因为从VM#2发送到VM#1的ICMPRequest报文经过虚拟交换机的时候,对虚拟交换机而言,该报文是从虚拟交换机转发到VM#1虚拟网卡的,也就是从虚拟交换机发送出去的报文,因此,虚拟交换机匹配到出方向端口镜像策略之后,应将该报文镜像到镜像目的.
在VM#3虚拟机上,通过12Wireshark抓包接口可以看出,VM#2发送到VM#1的4个ICMPRequest报文被成功镜像到VM#3的虚拟网卡上,源IP地址为VM#2虚拟网卡的IP地址,目的IP地址为VM#1虚拟网卡的IP地址.
5.
3.
4验证双向端口镜像策略步骤1在H3CCASCVM虚拟化管理平台中,修改虚拟交换机上的端口镜像策略方向为双向,其余配置保持不变.
图14修改端口镜像策略方向为双向步骤2在VM#1上通过命令行窗口PingVM#2.
图15以Ping(ICMP)报文模拟业务流量13步骤3验证双向端口镜像策略是否生效.
因为从VM#1发送到VM#2的ICMPRequest报文,以及从VM#2回应VM#1的ICMPReply报文经过虚拟交换机的时候,对虚拟交换机而言,该报文是从VM#1虚拟网卡进入虚拟交换机,再由虚拟交换机转发到VM#2虚拟网卡的,因此,虚拟交换机匹配到双向端口镜像策略之后,既将VM#1发送的ICMPRequest报文镜像到镜像目的,也会将VM#2回应的ICMPReply报文镜像到镜像目的.
在VM#3虚拟机上,通过Wireshark抓包接口可以看出,VM#1发送到VM#2的4个ICMPRequest报文,以及VM#2回应VM#1的4个ICMPReply都被成功镜像到VM#3的虚拟网卡上.
图16通过Wireshark抓包工具验证双向端口镜像策略