Traffic Export

    原始 IP 流量導(dǎo)出（RawIP Traffic Export）是一個輕量級的思科 IOS 軟件特性，用于將到達(dá)到離開網(wǎng)絡(luò)設(shè)備的 IP 數(shù)據(jù)包導(dǎo)出到外部設(shè)備，

IP Traffic Export

。它使用指定的局域網(wǎng)接口來導(dǎo)出所捕獲的 IP 數(shù)據(jù)包。其目標(biāo)是將原始 IP 數(shù)據(jù)包以未修改的格式導(dǎo)出到指定設(shè)備（比如說數(shù)據(jù)包分析程序或 IDS 設(shè)備）。

    原始 IP 流量導(dǎo)出的特性包括：

    1. 通過過濾功能（使用 ACL），可以只導(dǎo)出感興趣的流量。

    2. 采樣選項可以減少流量輸出量。

    3. 使用與目標(biāo)主機(jī)相關(guān)的 MAC、802.1q 或者交換機(jī)間鏈路（Inter-Switch Link，ISL）地址（而不是 IP 地址）來指定執(zhí)行導(dǎo)出的以太網(wǎng)端口。

    4. 當(dāng)特性激活或禁用時設(shè)置 syslog 信息。

    Configuration

    wKiom1XZNoziJMX4AABQQgrIe0Y185.jpg

    Router(config)#iptraffic-export profile CCIE

    Router(conf-rite)# interface FastEthernet0/0

    Router(conf-rite)# bidirectional

    Router(conf-rite)#mac-address 0200.4C4F.4F50

    Router(config)#interfaceFastEthernet0/1

    Router(config-if)#ip address 192.168.1.1 255.255.255.0

    Router(config-if)#ip traffic-export apply CCIE

    驗證配置

    Router#show ip traffic-export

    Router IP Traffic ExportParameters

    Monitored Interface      FastEthernet0/1

    Export Interface        FastEthernet0/0

    Destination MAC address 0200.4c4f.4f50

    bi-directional traffic export is on

    Output IP Traffic ExportInformation  Packets/BytesExported  0/0

    Packets Dropped     0

    Sampling Rate      one-in-every 1 packets

    No Access List configured

    Input IP Traffic ExportInformation  Packets/BytesExported  14/1400

    Packets Dropped     0

    Sampling Rate      one-in-every 1 packets

    No Access List configured

    Profile CCIE is Active

    Snifer設(shè)備獲取到流量

    Frame417: 114 bytes on wire (912 bits), 114 bytes captured (912 bits) on interface 0

    EthernetII, Src: 02:00:4c:4f:4f:50 (02:00:4c:4f:4f:50), Dst: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)

    Destination: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)

    Source: 02:00:4c:4f:4f:50(02:00:4c:4f:4f:50)

    Type: IP (0x0800)

    InternetProtocol Version 4, Src: 192.168.1.10 (192.168.1.10), Dst: 192.168.1.1(192.168.1.1)

    Version: 4

    Header Length: 20 bytes

    Differentiated Services Field: 0x00 (DSCP0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))

    Total Length: 100

    Identification: 0x0011 (17)

    Flags: 0x00

    Fragment offset: 0

    Time to live: 254

    Protocol: ICMP (1)

    Header checksum: 0x392c [correct]

    Source: 192.168.1.10 (192.168.1.10)

    Destination: 192.168.1.1 (192.168.1.1)

    [Source GeoIP: Unknown]

    [Destination GeoIP: Unknown]

    InternetControl Message Protocol

    Type: 8 (Echo (ping) request)

    Code: 0

    Checksum: 0xeefd [correct]

    Identifier (BE): 5 (0x0005)

    Identifier (LE): 1280 (0x0500)

    Sequence number (BE): 0 (0x0000)

    Sequence number (LE): 0 (0x0000)

    Data (72 bytes)

    使用ACL過濾流量

    Router(config)#ip access-listextended telnet

    Router(config-ext-nacl)#permittcp any any eq telnet

    Router(config)#ip traffic-exportprofile CCIE

    Router(conf-rite)#interfaceFastEthernet0/0

    Router(conf-rite)#incomingaccess-list telnet

    Router(conf-rite)#mac-address0200.4C4F.4F50

    Router(config)#interfaceFastEthernet0/1

    Router(config-if)# ip address192.168.1.1 255.255.255.0

    Router(config-if)# iptraffic-export apply CCIE

    驗證配置

    Router#show ip traffic-export

    Router IP Traffic ExportParameters

    Monitored Interface      FastEthernet0/1

    Export Interface        FastEthernet0/0

    Destination MAC address 0200.4c4f.4f50

    bi-directional traffic export is on

    Output IP Traffic ExportInformation  Packets/BytesExported  0/0

    Packets Dropped     0

    Sampling Rate      one-in-every 1 packets

    No Access List configured

    Input IP Traffic ExportInformation  Packets/BytesExported  45/1865

    Packets Dropped     115

    Sampling Rate      one-in-every 1 packets

    AccessList    telnet [named extended IP]

    Profile CCIE is Active

    http://www.cisco.com/c/en/us/td/docs/ios/12_4t/12_4t11/ht_rawip.html