SPAN Session Details 6500 and 3750

Answered Question
Aug 29th, 2008

I'm configuring a box to run ntop for some network data collection we need to do off of a 6500. One of my senior engineers tells me he was told some time ago by a Cisco engineer that SPAN sessions are software-switched, thus potentially causing a high CPU load and degrading switch performance. Obviously, I don't want to cause that. However, I want to monitor our uplinks to the core (EtherChannel, peak flow around 200-300 Mb/s), so I can't use a VACL (the uplinks are /30's).


While researching this, I came across this document (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html). It says the following:


"SPAN does not affect the switching of traffic on sources. You must dedicate the destination for SPAN use. The SPAN-generated copies of traffic compete with user traffic for switch resources."


This leads me to believe that, at least port-to-port, the traffic is hardware-switched (at least on the 6500). I can see if it had to make decisions about how to filter the traffic based on some ACL conditions then it could be software-switched. But it looks like if it's straight port-to-port, it's hardware-switched.


I include a reference to the 3750 because that's quickly becoming our primary access-layer platform so I would like to know if SPAN sessions are hardware-switched or software-switched on the 3750 as well or not.


Thank you,

Matthew Farrenkopf

Correct Answer by Giuseppe Larosa about 8 years 6 months ago

Hello Matt,

thanks for you nice remarks.


SPAN should be hardware based on both platforms.


From an hardware point of view supporting SPAN is the dual of multicast forwarding:

in multicast traffic from one source is replicated to multiple destinations

with SPAN frames tx and rx on one or multiple ports are copied and sent to a destination port.

This should be the reason why in lower end devices only two concurrent sessions are supported.


Only warning:

We observed in C6500 chassis system performance degradation when a SPAN session is trying to push 3 Gbps of traffic over a single GE destination port.

But this was because we had a big increase on traffic served to the internet with so high peaks for hours (sports events)

We had to remove the SPAN session (to the IDS).

If your traffic is in the order of 200-300 Mbps as peak you should be fine.


Hope to help

Giuseppe

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
Giuseppe Larosa Fri, 08/29/2008 - 13:13

Hello Matthew,


for SPAN on C3750 see:


http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swspan.html


EtherChannel-You can configure an EtherChannel group as a source port but not as a SPAN destination port. When a group is configured as a SPAN source, the entire group is monitored.


Implementation should be in hardware also on C3750.


As an altenative you could think to use netflow on the core 6500 switches and to export data to a collector.


Hope to help

Giuseppe

mfarrenkopf Fri, 08/29/2008 - 13:24

Giuseppe,


Thank you very much for your quick reply!


I did know that I can't use the EtherChannel as a destination. Since we're running less than a gig over it, I believe I should be able to use it as the source and the machine I'm going to use as the destination should be able to keep up with the data flow; it has a gig port.


But please confirm for me . . . you say "Implementation should be in hardware also on C3750." May I take that as a confirmation that, yes, SPAN sessions ARE hardware-switched on the 6500? The response didn't explicitly say that, and I just want to make sure that I'm not reading anything incorrect into what you're saying. Are there certain IOS revisions or modules for which this is not true?


Thank you,

Matt

Correct Answer
Giuseppe Larosa Sat, 08/30/2008 - 09:30

Hello Matt,

thanks for you nice remarks.


SPAN should be hardware based on both platforms.


From an hardware point of view supporting SPAN is the dual of multicast forwarding:

in multicast traffic from one source is replicated to multiple destinations

with SPAN frames tx and rx on one or multiple ports are copied and sent to a destination port.

This should be the reason why in lower end devices only two concurrent sessions are supported.


Only warning:

We observed in C6500 chassis system performance degradation when a SPAN session is trying to push 3 Gbps of traffic over a single GE destination port.

But this was because we had a big increase on traffic served to the internet with so high peaks for hours (sports events)

We had to remove the SPAN session (to the IDS).

If your traffic is in the order of 200-300 Mbps as peak you should be fine.


Hope to help

Giuseppe

Rakhmadian Purnama Wed, 11/12/2014 - 06:22

Hi Giuseppe,

Where I can find the datasheet regarding this issue.

I saw in some documents said that CPU/Memory Impact depend on the platform switch and traffic that monitored.

 

I have same issue but in Catalyst 2950/60 series, What's maximum traffic that can be monitored by this platform?

 

Thanks

Rakhmad

Actions

This Discussion