SPAN RX and TX channels - oversubscribed links - concepts?
I’ve been reading up and SPAN and the use of aggregator taps and full duplex taps. I feel i have a better understanding of each, but i still have a question that cannot seem find the answer to, hopefully somebody will know the answer to this one.
When using SPAN to feed a copy of your traffic into a packet analysis tool, or an IDS for example, you need to make sure you set the SPAN session to mirror the receive and transmit channels ( RX / TX ) etc of a full duplex link. If your full duplex link is 100mbps then you must make sure that you do not exceed 50 mbps in each direction as SPAN aggregates the RX and TX into a single TX channel ( 50 + 50 ) as most NIC's do not support dual RX channels.
In such cases that you exceed this 50% figure ( e.g highly subscribed links at 80-90% ) then you use a full duplex TAP which required a dual receive NIC - which most servers don’t have.
So my question is if we have a 100mbps port we want to mirror that’s 85 % subscribed in both directions ( using source port filter not vlan filter etc ) - if we mirror the RX and TX to a destination port that is actually 1000mbps would that result in 170 mbps been mirrored to the receive channel of the IDS/server NIC without packet loss?
So conceptually, is the way to overcome this SPAN 50% utilization limitation just to use a higher speed link as your mirroring/destination port - e.g use a 1000mbps destination link rather than the same 100mbps source port link or does this just not work properly for some strange reason ?
As far as I know, using a higher bandwidth port, to receive the SPAN output should work as you surmise.
BTW, even if TX or RX exceed 50% you might be okay because the output should be the aggregate of both. (E.g. 60% TX plus 35% RX.) Further if the aggregate sum of TX and RX exceed 100% of the SPAN's output port's bandwidth, you might be okay due to port buffering if it's of a short duration. However, if the aggregate exceeds 100% long term, of the output port's bandwidth, you're going to have a problem.
Cisco Champion Radio · S7|E45 Network Insights with AI Endpoint Analytics
Identifying who and what is on the network is a challenge for many organizations. Incomplete visibility makes it difficult to implement advanced security policies and recommendatio...
HI, In the attached diagram from cisco site if we assume R101 and R102 are two DC having a layer 2 link and both are advertising same subnet (eg. 192.168.12.0/24) to the ISP i understand by using BGP metrics we can make one DC primary and other as se...
Question I am having trouble pulling DHCP from a given network. I am fairly new at DHCP servers and I am trying to understand how IP addresses work within these servers. The objective is to give DHCP to my 6 PC's on my main network. I can either...
Hello, I was doing a packet tracer lab. Everything was fine, working, then suddenly it freezed. I closed the window. Now everytime I open this file, it freezes. I uninstalled it and reinstall, still the same. Tried with an older version, keeps crashi...
Can someone share me the test cases related to SDA after migrating the site from traditional network to SDA network. what test point should be considered/tested after the migrating on SDA network. Please share the test case point.