Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2648
Views
4
Helpful
4
Replies

SPAN Session Details 6500 and 3750

Go to solution
mfarrenkopf
Level 1
Level 1

‎08-29-2008 12:44 PM - edited ‎03-06-2019 01:05 AM

I'm configuring a box to run ntop for some network data collection we need to do off of a 6500. One of my senior engineers tells me he was told some time ago by a Cisco engineer that SPAN sessions are software-switched, thus potentially causing a high CPU load and degrading switch performance. Obviously, I don't want to cause that. However, I want to monitor our uplinks to the core (EtherChannel, peak flow around 200-300 Mb/s), so I can't use a VACL (the uplinks are /30's).

While researching this, I came across this document (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html). It says the following:

"SPAN does not affect the switching of traffic on sources. You must dedicate the destination for SPAN use. The SPAN-generated copies of traffic compete with user traffic for switch resources."

This leads me to believe that, at least port-to-port, the traffic is hardware-switched (at least on the 6500). I can see if it had to make decisions about how to filter the traffic based on some ACL conditions then it could be software-switched. But it looks like if it's straight port-to-port, it's hardware-switched.

I include a reference to the 3750 because that's quickly becoming our primary access-layer platform so I would like to know if SPAN sessions are hardware-switched or software-switched on the 3750 as well or not.

Thank you,

Matthew Farrenkopf

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to mfarrenkopf

‎08-30-2008 09:30 AM

Hello Matt,

thanks for you nice remarks.

SPAN should be hardware based on both platforms.

From an hardware point of view supporting SPAN is the dual of multicast forwarding:

in multicast traffic from one source is replicated to multiple destinations

with SPAN frames tx and rx on one or multiple ports are copied and sent to a destination port.

This should be the reason why in lower end devices only two concurrent sessions are supported.

Only warning:

We observed in C6500 chassis system performance degradation when a SPAN session is trying to push 3 Gbps of traffic over a single GE destination port.

But this was because we had a big increase on traffic served to the internet with so high peaks for hours (sports events)

We had to remove the SPAN session (to the IDS).

If your traffic is in the order of 200-300 Mbps as peak you should be fine.

Hope to help

Giuseppe

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame

‎08-29-2008 01:13 PM

Hello Matthew,

for SPAN on C3750 see:

http://www.cisco.com/en/US/docs/switches/lan/catalyst3750/software/release/12.2_44_se/configuration/guide/swspan.html

EtherChannel-You can configure an EtherChannel group as a source port but not as a SPAN destination port. When a group is configured as a SPAN source, the entire group is monitored.

Implementation should be in hardware also on C3750.

As an altenative you could think to use netflow on the core 6500 switches and to export data to a collector.

Hope to help

Giuseppe

Go to solution
mfarrenkopf
Level 1
Level 1
In response to Giuseppe Larosa

‎08-29-2008 01:24 PM

Giuseppe,

Thank you very much for your quick reply!

I did know that I can't use the EtherChannel as a destination. Since we're running less than a gig over it, I believe I should be able to use it as the source and the machine I'm going to use as the destination should be able to keep up with the data flow; it has a gig port.

But please confirm for me . . . you say "Implementation should be in hardware also on C3750." May I take that as a confirmation that, yes, SPAN sessions ARE hardware-switched on the 6500? The response didn't explicitly say that, and I just want to make sure that I'm not reading anything incorrect into what you're saying. Are there certain IOS revisions or modules for which this is not true?

Thank you,

Matt

0 Helpful

Go to solution
Giuseppe Larosa
Hall of Fame
Hall of Fame
In response to mfarrenkopf

‎08-30-2008 09:30 AM

Hello Matt,

thanks for you nice remarks.

SPAN should be hardware based on both platforms.

From an hardware point of view supporting SPAN is the dual of multicast forwarding:

in multicast traffic from one source is replicated to multiple destinations

with SPAN frames tx and rx on one or multiple ports are copied and sent to a destination port.

This should be the reason why in lower end devices only two concurrent sessions are supported.

Only warning:

We observed in C6500 chassis system performance degradation when a SPAN session is trying to push 3 Gbps of traffic over a single GE destination port.

But this was because we had a big increase on traffic served to the internet with so high peaks for hours (sports events)

We had to remove the SPAN session (to the IDS).

If your traffic is in the order of 200-300 Mbps as peak you should be fine.

Hope to help

Giuseppe

0 Helpful

Go to solution
Rakhmadian Purnama
Level 1
Level 1
In response to Giuseppe Larosa

‎11-12-2014 06:22 AM

Hi Giuseppe,

Where I can find the datasheet regarding this issue.

I saw in some documents said that CPU/Memory Impact depend on the platform switch and traffic that monitored.

 

I have same issue but in Catalyst 2950/60 series, What's maximum traffic that can be monitored by this platform?

 

Thanks

Rakhmad

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card