cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
797
Views
0
Helpful
2
Replies

SPAN on 6K and 7K for production DPI?

Odysseu$
Level 1
Level 1

While I have used monitor sessions for years in production for deep packet inspection for IDS/IPS, packet capture and network analysis recently a some potential clients have been told by Cisco support that SPAN is not a tool for this application.  I specifically am referring to local span and not rspan or erspan which I know can have issues depending on the hardware.

 

So I am asking Cisco officially and publicly are there any issues in using a monitor session with a local source to a local destination also known as local span to mirror traffic to other tools on ANY of your switching platforms?  This includes legacy 6500 switches with sup 2t, & 720, 65x,67x68x & 69x line cards.  This includes the Nexus 7k with M or F cards, the Nexus 9k, the catalyst 1850, 2850, 3850, and 9K platforms or any other switches that have been made in the last 7 years.  Are there ANY production issues with local span?

 

I would appreciate an answer so when clients come to me and tell me there is an issue using span with a Cisco product that I can refer them to this post to get an official Cisco answer.

 

Thanks.

2 Replies 2

Reza Sharifi
Hall of Fame
Hall of Fame

Hi,

I would appreciate an answer so when clients come to me and tell me there is an issue using span with a Cisco product that I can refer them to this post to get an official Cisco answer.

I am not sure if you are going to get an official response from Cisco here. I think the best way to get a response is by communicating with your Cisco sales rep or the vendor/reseller you are purchasing from.

That said, I have used Span with 6500, 6700, and the Nexus 6ks and have not seen any issues with it. As a matter of fact, in order to use some 3rd party applications with Cisco switches, you would have to Span ports.

 

HTH

It would be nice to know if different type of sources impact switches differently.  I could see an argument where a vlan source might use more resources that an interface source because the tags would need to be read and matched and then just that traffic forwarded.  Perhaps in the 6k the 61xx line cards which have little dedicated HW for distributed forwarding would have some guidelines.  It just would be nice to have a reference architecture with testing on using SPAN for DPI.

 

Review Cisco Networking for a $25 gift card