Ramcharan, Vijay A wrote: > I am about to open a case with TAC regarding feasibility of using either > SPAN or VACL capture or some other method of capturing traffic exceeding > 1Gbps. > I am not even sure if it is possible to send this much captured traffic > to a 10Gbps port connected to something like a GigaVue-420 which can > split the traffic into smaller, more manageable streams for analysis. > The solution should be able to provide a full view of all packets as the > analysis stations receiving the captures will be providing reports on > the captured data all the way up to the application layer. > > Realistically, traffic loads within the applicable VLAN may reach up to > 3 Gbps at peak periods. > >>From your expericence, what are some of the ways in which this can be > done?
We are using a plain SPAN session on 6500s to mirror an SVI on an active/standby pair of 10gig ports facing our firewall: ip vrf INSIDE description blah ip vrf OUTSIDE description blah int vlan4000 ip vrf forwarding OUTSIDE ip address 192.168.1.x 255.255.255.252 int vlan4001 ip vrf forwarding INSIDE ip address 192.168.2.y 255.255.255.252 int Te1/1 description main port to firewall switchport mode trunk switchport trunk encap dot1q switchport trunk allowed 4000-4001 int Te1/2 description 2nd port to firewall switchport mode trunk switchport trunk encap dot1q switchport trunk allowed 4000-4001 int Te1/3 description facing sniffer monitor session 1 source vlan 4001 monitor session 1 destination interface Te1/3 It seems to work fine. I've also used ERSPAN to mirror very high-rate interfaces (>1Gbit/sec) and it seems to work fine, though it brings the capturing box to its knees! VACL is mutually exclusive with OAL (which we have configured) so I haven't tried that. _______________________________________________ cisco-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/
