Re: SPAN Port Question
From: Greg Shipley (gshipley@neohapsis.com)Date: 12/13/01
- Previous message: Brian: "Re: IDS Management - Port Numbers"
- In reply to: Mike Disley: "SPAN Port Question"
- Next in thread: Jason Lewis: "RE: SPAN Port Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 13 Dec 2001 12:48:27 -0600 (CST) From: Greg Shipley <gshipley@neohapsis.com> To: Mike Disley <Mike.A.Disley@PWGSC.GC.CA>
On Thu, 13 Dec 2001, Mike Disley wrote:
> I'm trying to add a second sensor to a separate VLAN on a CISCO 5500 switch.
> The network boyz tell me there can be only one SPAN port per switch. Can
> anyone confirm that for me?
It depends on the version of CatOS running on the switch. This is true on
the 5xxx series with older versions of CatOS, definitely. There's a
really interesting doc on Cisco's site about port mirroring/spanning that
can be found here:
http://www.cisco.com/warp/public/473/41.html
http://www.cisco.com/warp/public/473/41.pdf
I'm pretty sure you need CatOS v5.1 (or higher) on the 5xxx series
switches to do spanning using multiple ports. Your network guys are right
if they are using older versions of CatOS. Also note that this changes
depending on the switch platform, as well. The Cat2900 series, for
example, has been doing "port mirroring" to multiple ports for quite some
time. One word of caution, however - according to the doc I've referenced
above, on the Cat5xxx/6xxx:
"Whether one or several ports will eventually transmit the packet has
absolutely no influence on the switch operation. Thus, considering this
architecture, the SPAN feature has no impact on the performance."
But I believe this to be false. We've been able to get our Cat6500 in the
lab to drop frames on the SPAN port with fairly low levels of traffic
(below 400Mbps). What's eerie is that the switch appears to be performing
fine - no errors, no low RAM, no high CPU, etc. It just silently drops
frames on the span port. This does not appear to affect the delivery of
regular/production traffic, but you can see why this might concern someone
when it comes to IDS. (NOTE: if you aren't going over 100Mbps, don't
worry about this - sub-100 appears to work fine)
Unfortunately, we do not have a support contract on our Cat6500, so I'm
trying to navigate Cisco from the outside to get some answers. This is,
of course, not easy. I've made ZERO progress. But I do know that I can
get both the 3500 and 6500 series switches to drop frames when spanning,
and this concerns me.
Hope this helps,
-Greg
- Previous message: Brian: "Re: IDS Management - Port Numbers"
- In reply to: Mike Disley: "SPAN Port Question"
- Next in thread: Jason Lewis: "RE: SPAN Port Question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
