08-29-2008 12:44 PM - edited 03-06-2019 01:05 AM
I'm configuring a box to run ntop for some network data collection we need to do off of a 6500. One of my senior engineers tells me he was told some time ago by a Cisco engineer that SPAN sessions are software-switched, thus potentially causing a high CPU load and degrading switch performance. Obviously, I don't want to cause that. However, I want to monitor our uplinks to the core (EtherChannel, peak flow around 200-300 Mb/s), so I can't use a VACL (the uplinks are /30's).
While researching this, I came across this document (http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/configuration/guide/span.html). It says the following:
"SPAN does not affect the switching of traffic on sources. You must dedicate the destination for SPAN use. The SPAN-generated copies of traffic compete with user traffic for switch resources."
This leads me to believe that, at least port-to-port, the traffic is hardware-switched (at least on the 6500). I can see if it had to make decisions about how to filter the traffic based on some ACL conditions then it could be software-switched. But it looks like if it's straight port-to-port, it's hardware-switched.
I include a reference to the 3750 because that's quickly becoming our primary access-layer platform so I would like to know if SPAN sessions are hardware-switched or software-switched on the 3750 as well or not.
Thank you,
Matthew Farrenkopf
Solved! Go to Solution.
08-30-2008 09:30 AM
Hello Matt,
thanks for you nice remarks.
SPAN should be hardware based on both platforms.
From an hardware point of view supporting SPAN is the dual of multicast forwarding:
in multicast traffic from one source is replicated to multiple destinations
with SPAN frames tx and rx on one or multiple ports are copied and sent to a destination port.
This should be the reason why in lower end devices only two concurrent sessions are supported.
Only warning:
We observed in C6500 chassis system performance degradation when a SPAN session is trying to push 3 Gbps of traffic over a single GE destination port.
But this was because we had a big increase on traffic served to the internet with so high peaks for hours (sports events)
We had to remove the SPAN session (to the IDS).
If your traffic is in the order of 200-300 Mbps as peak you should be fine.
Hope to help
Giuseppe
08-29-2008 01:13 PM
Hello Matthew,
for SPAN on C3750 see:
EtherChannel-You can configure an EtherChannel group as a source port but not as a SPAN destination port. When a group is configured as a SPAN source, the entire group is monitored.
Implementation should be in hardware also on C3750.
As an altenative you could think to use netflow on the core 6500 switches and to export data to a collector.
Hope to help
Giuseppe
08-29-2008 01:24 PM
Giuseppe,
Thank you very much for your quick reply!
I did know that I can't use the EtherChannel as a destination. Since we're running less than a gig over it, I believe I should be able to use it as the source and the machine I'm going to use as the destination should be able to keep up with the data flow; it has a gig port.
But please confirm for me . . . you say "Implementation should be in hardware also on C3750." May I take that as a confirmation that, yes, SPAN sessions ARE hardware-switched on the 6500? The response didn't explicitly say that, and I just want to make sure that I'm not reading anything incorrect into what you're saying. Are there certain IOS revisions or modules for which this is not true?
Thank you,
Matt
08-30-2008 09:30 AM
Hello Matt,
thanks for you nice remarks.
SPAN should be hardware based on both platforms.
From an hardware point of view supporting SPAN is the dual of multicast forwarding:
in multicast traffic from one source is replicated to multiple destinations
with SPAN frames tx and rx on one or multiple ports are copied and sent to a destination port.
This should be the reason why in lower end devices only two concurrent sessions are supported.
Only warning:
We observed in C6500 chassis system performance degradation when a SPAN session is trying to push 3 Gbps of traffic over a single GE destination port.
But this was because we had a big increase on traffic served to the internet with so high peaks for hours (sports events)
We had to remove the SPAN session (to the IDS).
If your traffic is in the order of 200-300 Mbps as peak you should be fine.
Hope to help
Giuseppe
11-12-2014 06:22 AM
Hi Giuseppe,
Where I can find the datasheet regarding this issue.
I saw in some documents said that CPU/Memory Impact depend on the platform switch and traffic that monitored.
I have same issue but in Catalyst 2950/60 series, What's maximum traffic that can be monitored by this platform?
Thanks
Rakhmad
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide