这一篇 http://www.rendoumi.com/zen-yang-zai-open-vswitchshang-she-zhi-span-huo-zhe-mirrorduan-kou/ 里我们描述了如何利用libvirt的脚本来设置mirror port.

下面我们来讲一下纯手工版本的:

场景依旧:

kvm01:vnet1
kvm02:vnet2

先查看一下ovs,看到有vnet1和vnet2两个端口绑到ovsbr0上了:

# ovs-vsctl show
238d066c-8354-4978-a9f4-39a98fa2d2e9  
    Bridge "ovsbr0"
        Port "eth0"
            Interface "eth0"
        Port "ovsbr0"
            Interface "ovsbr0"
                type: internal
        Port "vnet1"
            Interface "vnet1"
        Port "vnet2"
            Interface "vnet2"
    ovs_version: "1.4.2"

ovs show mirror的结果应该是空的:

# ovs-vsctl list Mirror 

纯手工设定,注意几个参数,set bridge是ovsbr0,两个端口是vnet1和vnet2

# ovs-vsctl -- set bridge ovsbr0 mirrors=@m -- --id=@vnet1 get Port vnet1 -- --id=@vnet2 get Port vnet2 -- --id=@m create Mirror name=mirror_test select-dst-port=@vnet1 select-src-port=@vnet1 output-port=@vnet2 
------
b073490c-5a64-4d80-93ca-534f29c09027  
------

格式好看一些:

#ovs-vsctl -- set Bridge ovsbr0 mirrors=@m \
 -- --id=@vnet1 get Port vnet1 \
 -- --id=@vnet2 get Port vnet2 \
 -- --id=@m create Mirror name=mirror_test select-dst-port=@vnet1 select-src-port=@vnet1 output-port=@vnet2

再次查看:

# ovs-vsctl list Mirror 
_uuid               : b073490c-5a64-4d80-93ca-534f29c09027  
external_ids        : {}  
name                : mirror_test  
output_port         : 6b80f606-516c-4304-91a3-0217b02e408b  
output_vlan         : []  
select_all          : false  
select_dst_port     : [b3ef508f-cdca-4a42-921e-9a96fffff98b]  
select_src_port     : [b3ef508f-cdca-4a42-921e-9a96fffff98b]  
select_vlan         : []  
statistics          : {tx_bytes=24430, tx_packets=380}  

如果要删除:

# ovs-vsctl clear bridge ovsbr0 mirrors 

区别: 上面手动设置的其实是对某一个特定端口的镜像,而前一篇文章里其实是对整个bridge的流量做了镜像,从而可以满足用snort扫描整个网桥流量的目的,区别就在于select_all=true这个参数。看下面,一刀流:

# ovs-vsctl \
  -- --id=@m create mirror name=mymirror \
  -- add bridge ovsbr0 mirrors @m \
  -- --id=@vnet2 get port vnet2 \
  -- set mirror mymirror select_all=true output-port=@vnet2
comments powered by Disqus