6509 SPAN question.

Discussion in 'Cisco' started by NNTP, Apr 21, 2004.

  1. NNTP

    NNTP Guest

    questions,

    According to cisco documentation, SPAN is supported in 6509 with 'no
    performance impact'

    is this really true? I mean there has to be SOME performance hit
    there? I am asking this because I am putting togethere specs for a
    possible snort machine that we need to snort off of a 6509 with 20
    vlans on it. and I plan to mirror several VLANs onto one physical
    fiber port that I can snort on.

    current total usage is about 60Mbps. (all vlans included)

    the other thing is that documentation says it only supports 2 set of
    SPAN? (no RSPAN) kind of limiting huh?
     
    NNTP, Apr 21, 2004
    #1
    1. Advertisements

  2. :According to cisco documentation, SPAN is supported in 6509 with 'no
    :performance impact'

    :is this really true? I mean there has to be SOME performance hit
    :there? I am asking this because I am putting togethere specs for a
    :possible snort machine that we need to snort off of a 6509 with 20
    :vlans on it. and I plan to mirror several VLANs onto one physical
    :fiber port that I can snort on.

    My understanding is that as long as you aren't oversubscribing the
    exit port, then the packet just gets tagged for delivery via the
    normal crossbar dma to the SPAN port along with all other appropriate
    ports. Is there a performance impact? I don't know... maybe if
    you were running with pure 64 byte packets the overhead might be
    noticable. But it's no more of an impact than the impact of bridging
    a vlan to multiple ports -- do you worry about the performance
    impact on the -switch- if you bridge a vlan to 6 ports instead of 5?
    The distributed architecture of the 6509 is built to take care of
    issues like this.

    Now if you were talking about something like the 1600...
     
    Walter Roberson, Apr 22, 2004
    #2
    1. Advertisements

  3. NNTP

    rowl Guest

    SPAN multiple VLANs onto a destination port? I don't remember if thats
    possible. In any case when spanning multiple ports from a single VLAN
    onto a dest port, its advisable when the source ports are all 100mbps
    and the dest port is a Gig port. Or else use a NAM module that will
    pick off the packets from the backplane fabric itself with self as the
    destination.

    You will be better of purchasing an ethernet TAP, placing it in
    between your router-switch line, and putting your NIC into promiscous
    mode on the TAP.

    Alternatively you can try cutting off the Tx wires in your "listening"
    NICs, RJ45 and bridging between 2 NICs in linux on the router to
    switch. I haven't tried it though...

    PS I think IOS 12.3 above has an "export" feature that will dump
    packets from a router interface to an interface of your choice -
    precisely for snorting...
    I beleive it has the ability to sample such dumps periodically to
    minimize performance impact...


    Rgrds
    Rahul Sawarkar

    PS: Enjoy the snorting...
     
    rowl, Apr 22, 2004
    #3
  4. NNTP

    AnyBody43 Guest

    (rowl) wrote
    I do not understand the new (to me) crossbar bits and I suspect
    that even that is old hat now, however to answer you question.

    No, there does not _have_ to be _any_ performance hit for SPAN.

    For example:-
    The original Cat 6000 (also used in 6500) bus backplane did
    switching by presenting ALL incoming frames to the backplane
    as they arrived. ALL line cards then copied the frame to the
    output buffer of ALL ports. Meanwhile, the SE I hardware was
    deciding what to do with the frame. A bitmap of what ports to
    forward the frame out of was sent over a control bus which was
    used by the linecards to either forward or drop the frame. A
    SPAN port was simply allowed to forward frames AS WELL AS the
    normal destination port.

    The Cat 5000 had a similar architecture.

    In usual operation most frames would be discarded from the output
    queues of the ports.

    Each port had an _amazing_, for the time, amount of buffer space
    at the port. IIRC 1M per port, well maybe not. QoS queues were
    implemented locally by each port.
     
    AnyBody43, Apr 22, 2004
    #4
  5. Yap. It is true - no physical impact when spanning. A bit unexpected and
    surprising, however if you will consider the architecture of the switch - it
    is explainable. In the nut shell - switch replicates the incoming packet to
    ALL ports on the switch. At the last moment, the dedicated ASICS on the EACH
    port analyze the packet and put it in output quie of the interface or
    discard it. So, the packets replicated on each port any way. If you SPAN
    it - it not making much difference from the performance point of view.

    One think that you can have a PROBLEM - you may overload the port where you
    are SPANNING to ... Look for drops packets ...



    Yap. You can configure 2 span ports - in another word, you can attached two
    SNORT boxes / NIC that sniffing on different VLANs on the switch (to
    "spread" the load).



    Good luck.
     
    Andrei Mikhailovsky, Apr 23, 2004
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.