Showing results for 
Search instead for 
Did you mean: 

SPAN RX and TX channels - oversubscribed links - concepts?

Hi all,


I’ve been reading up and SPAN and the use of aggregator taps and full duplex taps.  I feel i have a better understanding of each, but i still have a question that cannot seem find the answer to, hopefully somebody will know the answer to this one.


When using SPAN to feed a copy of your traffic into a packet analysis tool, or an IDS for example, you need to make sure you set the SPAN session to mirror the receive and transmit channels ( RX / TX ) etc of a full duplex link.  If your full duplex link is 100mbps then you must make sure that you do not exceed 50 mbps in each direction as SPAN aggregates the RX and TX into a single TX channel ( 50 + 50 ) as most NIC's do not support dual RX channels.


In such cases that you exceed this 50% figure ( e.g highly subscribed links at 80-90% ) then you use a full duplex TAP which required a dual receive NIC - which most servers don’t have.


So my question is if we have a 100mbps port we want to mirror that’s 85 % subscribed in both directions ( using source port filter not vlan filter etc ) - if we mirror the RX and TX to a destination port that is actually 1000mbps would that result in 170 mbps been mirrored to the receive channel of the IDS/server NIC without packet loss?


So conceptually, is the way to overcome this SPAN 50% utilization limitation just to use a higher speed link as your mirroring/destination port - e.g use a 1000mbps destination link rather than the same 100mbps source port link or does this just not work properly for some strange reason ?






VIP Expert

As far as I know, using a higher bandwidth port, to receive the SPAN output should work as you surmise.

BTW, even if TX or RX exceed 50% you might be okay because the output should be the aggregate of both. (E.g. 60% TX plus 35% RX.) Further if the aggregate sum of TX and RX exceed 100% of the SPAN's output port's bandwidth, you might be okay due to port buffering if it's of a short duration. However, if the aggregate exceeds 100% long term, of the output port's bandwidth, you're going to have a problem.

Thankyou for your input Joseph.