SPAN RX and TX channels - oversubscribed links - concepts?
I’ve been reading up and SPAN and the use of aggregator taps and full duplex taps. I feel i have a better understanding of each, but i still have a question that cannot seem find the answer to, hopefully somebody will know the answer to this one.
When using SPAN to feed a copy of your traffic into a packet analysis tool, or an IDS for example, you need to make sure you set the SPAN session to mirror the receive and transmit channels ( RX / TX ) etc of a full duplex link. If your full duplex link is 100mbps then you must make sure that you do not exceed 50 mbps in each direction as SPAN aggregates the RX and TX into a single TX channel ( 50 + 50 ) as most NIC's do not support dual RX channels.
In such cases that you exceed this 50% figure ( e.g highly subscribed links at 80-90% ) then you use a full duplex TAP which required a dual receive NIC - which most servers don’t have.
So my question is if we have a 100mbps port we want to mirror that’s 85 % subscribed in both directions ( using source port filter not vlan filter etc ) - if we mirror the RX and TX to a destination port that is actually 1000mbps would that result in 170 mbps been mirrored to the receive channel of the IDS/server NIC without packet loss?
So conceptually, is the way to overcome this SPAN 50% utilization limitation just to use a higher speed link as your mirroring/destination port - e.g use a 1000mbps destination link rather than the same 100mbps source port link or does this just not work properly for some strange reason ?
As far as I know, using a higher bandwidth port, to receive the SPAN output should work as you surmise.
BTW, even if TX or RX exceed 50% you might be okay because the output should be the aggregate of both. (E.g. 60% TX plus 35% RX.) Further if the aggregate sum of TX and RX exceed 100% of the SPAN's output port's bandwidth, you might be okay due to port buffering if it's of a short duration. However, if the aggregate exceeds 100% long term, of the output port's bandwidth, you're going to have a problem.
Cisco recently announced availability of the latest release on the IOS-XE train – IOS-XE Gibraltar 17.4.1. This is a standard maintenance release supporting Switching, Wireless, SP-Access, Routing as well as IOT platforms with a sustaining support lifetim...
The primary purpose of a switch is to make forwarding decisions based on destination MAC address. The MAC address table is created with a list of destination MAC address for each connected device. In addition the switch port assigned and VLAN member...
Cisco Nexus 1000V cloud switch is a virtual appliance. It provides integration of physical and virtualized network infrastructure. Cisco Nexus 1000V switch is compatible with VMware ESX and vSphere (ESXi) hypervisors. There is a version for Microsoft Hype...
Selecting the proper lab training platform is fundamental to preparing for CCNA certification. Cisco CCNA is a foundational networking certification that requires knowledge of IOS configuration of multiple protocols. So where do you start and what lab tra...
(view in My Videos)
“Use Serviceability Features to Troubleshoot your Cat9K as a Cisco TAC Engineer”
This event took place on Tuesday 1st, December 2020 at 10hrs PDT
This event provides an introduction to the main Cat9K serviceability features. Serv...