Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
643
Views
5
Helpful
5
Replies

Can I span on gb port on cat6500?

Go to solution
julxu
Level 1
Level 1

‎01-08-2007 06:45 PM - edited ‎03-05-2019 01:40 PM

If I use two ports to setup a monitor on cat6500 WS-X6548-GE-TX module, do I will get performance problem? heavy load interface.

Any comments will be appreciated

Thanks in advance

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
ebanks2006
Level 1
Level 1

‎01-09-2007 04:51 PM

I'll reiterate the question - what are you really trying to log? If you want to log HTTP or SSL transactions on the web server, spanning is not the way to go about that. You really want the web server itself to syslog to some other device or to a local log file.

Spanning will provide you with a low-level copy of the network conversation. If you've got a logging server that can deal with that, great - lots of devices can. It's just a little unclear if that's what you're really looking for. One catch with dedicating a span port to a logging server is that you're only allotted 2 span sessions on the box at a time. So if you need to run sniffers a lot, you might not want to tie up one of your two available span sessions forever.

For a dedicated long-term need to capture all traffic on a port (on in a VLAN), you might be better served with a VACL capture, if supported on your 6500 hardware. The idea is to set up VLAN access-lists, filters and maps, and then configure a "capture" port that will copy packets from the switch based on matches in the VACL configuration. It's a bit tedious to set up if you've never done it before, but once you've got it going it's flexible (you can change what VLAN's you want to capture on the fly), plus it's done in hardware (i.e., no CPU hit).

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm

View solution in original post

0 Helpful
5 Replies 5

Go to solution
david.bradley
Level 1
Level 1

‎01-09-2007 01:29 AM

Hi,

I would say that this should not pose a problem, spanning a port should not create a heavy load.

Of course if the loading on your switch is very high it's worthwhile monitoring it closely.

0 Helpful

Go to solution
julxu
Level 1
Level 1
In response to david.bradley

‎01-09-2007 02:14 PM

great thanks.

By the way, span a port also called port mirroring, I would like to make a central web logging server and can I use span to copy same traffic from web servers port to web logging server?

If not, what is a typical method to setup a central web logging server?

Many Regards

0 Helpful

Go to solution
sachinraja
Level 9
Level 9
In response to julxu

‎01-09-2007 04:17 PM

Hello Julxu,

What do you exactly need to log on the web logging server?? Spanning actually is used more when troubleshooting issues and will be enabled only when required. spanning basically gives a lot of information as it sees and mirrors the layer 2/3 datagrams from the switch port, so the output of the spanned port, will be a raw data imported to some sniffers. make sure you can read/understand this raw data, or else you need to have some mechanism to make it readable for undeerstanding the logs better..

spanning is also used for monitoring the traffic to an Intrusion detection or promscious mode IPS. IPS pulls this raw data and converts it to a GUI readable form..

Hope this helps. all the best.. rate replies if found useful.

Raj

Go to solution
ebanks2006
Level 1
Level 1

‎01-09-2007 04:51 PM

I'll reiterate the question - what are you really trying to log? If you want to log HTTP or SSL transactions on the web server, spanning is not the way to go about that. You really want the web server itself to syslog to some other device or to a local log file.

Spanning will provide you with a low-level copy of the network conversation. If you've got a logging server that can deal with that, great - lots of devices can. It's just a little unclear if that's what you're really looking for. One catch with dedicating a span port to a logging server is that you're only allotted 2 span sessions on the box at a time. So if you need to run sniffers a lot, you might not want to tie up one of your two available span sessions forever.

For a dedicated long-term need to capture all traffic on a port (on in a VLAN), you might be better served with a VACL capture, if supported on your 6500 hardware. The idea is to set up VLAN access-lists, filters and maps, and then configure a "capture" port that will copy packets from the switch based on matches in the VACL configuration. It's a bit tedious to set up if you've never done it before, but once you've got it going it's flexible (you can change what VLAN's you want to capture on the fly), plus it's done in hardware (i.e., no CPU hit).

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/122sx/swcg/vacl.htm

0 Helpful

Go to solution
julxu
Level 1
Level 1
In response to ebanks2006

‎01-09-2007 06:02 PM

Great thanks. This is what I am looking for.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card