CatOs Span session

Unanswered Question
Jun 24th, 2009

Okay so I set up a SPAN session on our CatOs 6500, and everything was fine for like 12 hours.

Then suddenly in the middle of the night the helpdesk calls and says the website isnt reachable from the inside. (behind an f5 in the DMZ) Not even sort of directly connected to the old core switch with the SPAN on it.

So the other network guy killed the span, since that was the only change made that day and things started working.

That makes no sense at all. Has anyone ever heard of a span affecting connectivity?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
pciaccio Wed, 06/24/2009 - 04:37

Yes I have.... Depending upon what you are monitoring. Running a SPAN on your switch multiplyies your traffic. So if you are spanning a VLAN then all traffic on that VLAN will be copied and spill over to the SPAN port. If running multiple SPAN ports then all the traffic you are monitoring will be duplicated . All this traffic can strangle a port or backplane....

scott.hammond Wed, 06/24/2009 - 04:57

CPU was <15% at the time and he didnt check port utilization.

We were spanning all vlans to that one port though.

pciaccio Wed, 06/24/2009 - 06:44

I would recommend that you span only one VLAN or just a port. Not all VLANs. That menas that all traffic on the switch was duplicated and sent to the one SPAN port. that also includes all BPDU packets as well as all ARP and broadcasts on your network.. Try to define your span to look at less traffic or set your span and when done remove it.

scott.hammond Wed, 06/24/2009 - 06:48

yeah thats always been my best practice, but we have a fluke rep in here with some gee whiz application analysis tool and he suggested spanning all VLANs.

So I did, cautiously with "set span dis" ready to past into the console, and the CPU didnt flinch. The SPAN port hit about 40% utilization on the top talker report and I considered it stable.

Giuseppe Larosa Wed, 06/24/2009 - 10:09

hello Scott

Spanning all vlans over a single destination port can cause problems also with Cisco IOS 6500:

we had a span session to IDS of internet traffic: when average traffic reached 3 Gbps with a destination port of a single GE the cpu rised to 100% and we had to disable it.

Hope to help

Giuseppe

Actions

This Discussion