I have a request to send every data packet traversing heavily used distribution routers (DRs) out a SPAN session over a GbE port as a permanent configuration.
A typical DR is the default gateway for about 2000 hosts connecting across 40 vlans and 30 GbE dot1q trunks as downlinks to the L2 access switches. Hardware is sup720 pfc3bxl, with multiple 16 port GbE / GBIC classic linecards, running 12.2(18)SXF (upgrading soon to SXI).
Other than the obvious oversubscription and resulting dropped traffic on the SPAN traffic, has anyone experienced any side effects by sending so much traffic / vlans out a SPAN session? I'm thinking CPU / memory / other switch resources / etc. Also worried about traffic being punted up to the RP, such as broadcasts, non-ip, etc. From what I can gather, it doesn't seem that SPAN sessions on the c6500 architecture duplicate traffic.
I have not found any concrete restrictions or warnings of using the SPAN feature in this manner on the c6500 platform. Any thoughts or experiences are appreciated.
Hello A. Paradela,
I can confirm the issue was serious we had this high traffic 3 Gbps for hours and the problem was in pushing this mirrored traffic over a single GE port where a network IDS is connected.
>>Was it the RP's CPU that spiked? (sh proc cpu)
yes, the system became almost unreachable and user traffic was slowed down
>>Did you ever escalate to TAC or look into it further to find the root cause?
We had opened several TAC issues for this webfarm regarding different aspects and one of this was related to this aspect.
>> CCO docs actually say there's no performance hit with SPAN on the 6500
I agree on this, but in our scenario we saw an issue and I've reported to you because you may have the same problem.
Hope to help