«

questions,

According to cisco documentation, SPAN is supported in 6509 with 'no
performance impact'

is this really true? I mean there has to be SOME performance hit
there? I am asking this because I am putting togethere specs for a
possible snort machine that we need to snort off of a 6509 with 20
vlans on it. and I plan to mirror several VLANs onto one physical
fiber port that I can snort on.

current total usage is about 60Mbps. (all vlans included)

the other thing is that documentation says it only supports 2 set of
SPAN? (no RSPAN) kind of limiting huh?

In article <> ,
NNTP <> wrote:
:According to cisco documentation, SPAN is supported in 6509 with 'no
erformance impact'

:is this really true? I mean there has to be SOME performance hit
:there? I am asking this because I am putting togethere specs for a
ossible snort machine that we need to snort off of a 6509 with 20
:vlans on it. and I plan to mirror several VLANs onto one physical
:fiber port that I can snort on.

My understanding is that as long as you aren't oversubscribing the
exit port, then the packet just gets tagged for delivery via the
normal crossbar dma to the SPAN port along with all other appropriate
ports. Is there a performance impact? I don't know... maybe if
you were running with pure 64 byte packets the overhead might be
noticable. But it's no more of an impact than the impact of bridging
a vlan to multiple ports -- do you worry about the performance
impact on the -switch- if you bridge a vlan to 6 ports instead of 5?
The distributed architecture of the 6509 is built to take care of
issues like this.

Now if you were talking about something like the 1600...
--
Warning: potentially contains traces of nuts.

(NNTP) wrote in message news:< om>...
> questions,
>
> According to cisco documentation, SPAN is supported in 6509 with 'no
> performance impact'
>
> is this really true? I mean there has to be SOME performance hit
> there? I am asking this because I am putting togethere specs for a
> possible snort machine that we need to snort off of a 6509 with 20
> vlans on it. and I plan to mirror several VLANs onto one physical
> fiber port that I can snort on.
>
> current total usage is about 60Mbps. (all vlans included)
>
> the other thing is that documentation says it only supports 2 set of
> SPAN? (no RSPAN) kind of limiting huh?

SPAN multiple VLANs onto a destination port? I don't remember if thats
possible. In any case when spanning multiple ports from a single VLAN
onto a dest port, its advisable when the source ports are all 100mbps
and the dest port is a Gig port. Or else use a NAM module that will
pick off the packets from the backplane fabric itself with self as the
destination.

You will be better of purchasing an ethernet TAP, placing it in
between your router-switch line, and putting your NIC into promiscous
mode on the TAP.

Alternatively you can try cutting off the Tx wires in your "listening"
NICs, RJ45 and bridging between 2 NICs in linux on the router to
switch. I haven't tried it though...

PS I think IOS 12.3 above has an "export" feature that will dump
packets from a router interface to an interface of your choice -
precisely for snorting...
I beleive it has the ability to sample such dumps periodically to
minimize performance impact...


Rgrds
Rahul Sawarkar

PS: Enjoy the snorting...

(rowl) wrote
> (NNTP) wrote

> > According to cisco documentation, SPAN is supported in 6509 with 'no
> > performance impact'
> >
> > is this really true? I mean there has to be SOME performance hit
> > there? I am asking this because I am putting togethere specs for a
> > possible snort machine that we need to snort off of a 6509 with 20
> > vlans on it. and I plan to mirror several VLANs onto one physical
> > fiber port that I can snort on.

I do not understand the new (to me) crossbar bits and I suspect
that even that is old hat now, however to answer you question.

No, there does not _have_ to be _any_ performance hit for SPAN.

For example:-
The original Cat 6000 (also used in 6500) bus backplane did
switching by presenting ALL incoming frames to the backplane
as they arrived. ALL line cards then copied the frame to the
output buffer of ALL ports. Meanwhile, the SE I hardware was
deciding what to do with the frame. A bitmap of what ports to
forward the frame out of was sent over a control bus which was
used by the linecards to either forward or drop the frame. A
SPAN port was simply allowed to forward frames AS WELL AS the
normal destination port.

The Cat 5000 had a similar architecture.

In usual operation most frames would be discarded from the output
queues of the ports.

Each port had an _amazing_, for the time, amount of buffer space
at the port. IIRC 1M per port, well maybe not. QoS queues were
implemented locally by each port.

Yap. It is true - no physical impact when spanning. A bit unexpected and
surprising, however if you will consider the architecture of the switch - it
is explainable. In the nut shell - switch replicates the incoming packet to
ALL ports on the switch. At the last moment, the dedicated ASICS on the EACH
port analyze the packet and put it in output quie of the interface or
discard it. So, the packets replicated on each port any way. If you SPAN
it - it not making much difference from the performance point of view.

One think that you can have a PROBLEM - you may overload the port where you
are SPANNING to ... Look for drops packets ...



Yap. You can configure 2 span ports - in another word, you can attached two
SNORT boxes / NIC that sniffing on different VLANs on the switch (to
"spread" the load).



Good luck.

"NNTP" <> wrote in message
news: m...
> questions,
>
> According to cisco documentation, SPAN is supported in 6509 with 'no
> performance impact'
>
> is this really true? I mean there has to be SOME performance hit
> there? I am asking this because I am putting togethere specs for a
> possible snort machine that we need to snort off of a 6509 with 20
> vlans on it. and I plan to mirror several VLANs onto one physical
> fiber port that I can snort on.
>
> current total usage is about 60Mbps. (all vlans included)
>
> the other thing is that documentation says it only supports 2 set of
> SPAN? (no RSPAN) kind of limiting huh?