I'm configuring a box to run ntop for some network data collection we need to do off of a 6500. One of my senior engineers tells me he was told some time ago by a Cisco engineer that SPAN sessions are software-switched, thus potentially causing a high CPU load and degrading switch performance. Obviously, I don't want to cause that. However, I want to monitor our uplinks to the core (EtherChannel, peak flow around 200-300 Mb/s), so I can't use a VACL (the uplinks are /30's).
While researching this, I came across this document (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html). It says the following:
"SPAN does not affect the switching of traffic on sources. You must dedicate the destination for SPAN use. The SPAN-generated copies of traffic compete with user traffic for switch resources."
This leads me to believe that, at least port-to-port, the traffic is hardware-switched (at least on the 6500). I can see if it had to make decisions about how to filter the traffic based on some ACL conditions then it could be software-switched. But it looks like if it's straight port-to-port, it's hardware-switched.
I include a reference to the 3750 because that's quickly becoming our primary access-layer platform so I would like to know if SPAN sessions are hardware-switched or software-switched on the 3750 as well or not.
thanks for you nice remarks.
SPAN should be hardware based on both platforms.
From an hardware point of view supporting SPAN is the dual of multicast forwarding:
in multicast traffic from one source is replicated to multiple destinations
with SPAN frames tx and rx on one or multiple ports are copied and sent to a destination port.
This should be the reason why in lower end devices only two concurrent sessions are supported.
We observed in C6500 chassis system performance degradation when a SPAN session is trying to push 3 Gbps of traffic over a single GE destination port.
But this was because we had a big increase on traffic served to the internet with so high peaks for hours (sports events)
We had to remove the SPAN session (to the IDS).
If your traffic is in the order of 200-300 Mbps as peak you should be fine.
Hope to help