Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
839
Views
0
Helpful
2
Replies

SPAN RX and TX channels - oversubscribed links - concepts?

Matthew burnley
Level 1
Level 1

‎07-21-2019 08:23 AM

Hi all,

 

I’ve been reading up and SPAN and the use of aggregator taps and full duplex taps.  I feel i have a better understanding of each, but i still have a question that cannot seem find the answer to, hopefully somebody will know the answer to this one.

 

When using SPAN to feed a copy of your traffic into a packet analysis tool, or an IDS for example, you need to make sure you set the SPAN session to mirror the receive and transmit channels ( RX / TX ) etc of a full duplex link.  If your full duplex link is 100mbps then you must make sure that you do not exceed 50 mbps in each direction as SPAN aggregates the RX and TX into a single TX channel ( 50 + 50 ) as most NIC's do not support dual RX channels.

 

In such cases that you exceed this 50% figure ( e.g highly subscribed links at 80-90% ) then you use a full duplex TAP which required a dual receive NIC - which most servers don’t have.

 

So my question is if we have a 100mbps port we want to mirror that’s 85 % subscribed in both directions ( using source port filter not vlan filter etc ) - if we mirror the RX and TX to a destination port that is actually 1000mbps would that result in 170 mbps been mirrored to the receive channel of the IDS/server NIC without packet loss?

 

So conceptually, is the way to overcome this SPAN 50% utilization limitation just to use a higher speed link as your mirroring/destination port - e.g use a 1000mbps destination link rather than the same 100mbps source port link or does this just not work properly for some strange reason ?

 

thanks.

 

 

 

Labels:
0 Helpful
2 Replies 2

Joseph W. Doherty
Hall of Fame
Hall of Fame

‎07-21-2019 08:44 AM

As far as I know, using a higher bandwidth port, to receive the SPAN output should work as you surmise.

BTW, even if TX or RX exceed 50% you might be okay because the output should be the aggregate of both. (E.g. 60% TX plus 35% RX.) Further if the aggregate sum of TX and RX exceed 100% of the SPAN's output port's bandwidth, you might be okay due to port buffering if it's of a short duration. However, if the aggregate exceeds 100% long term, of the output port's bandwidth, you're going to have a problem.
0 Helpful

Matthew burnley
Level 1
Level 1
In response to Joseph W. Doherty

‎07-21-2019 03:06 PM

Thankyou for your input Joseph.

0 Helpful
Customers Also Viewed These Support Documents