[nsp] multiple port monitoring - switch sought

Gert Doering gert at greenie.muc.de
Wed Dec 10 14:39:25 EST 2003 

Hi,

On Wed, Dec 10, 2003 at 01:29:00PM -0600, Charles Spurgeon wrote:
> Our experience with the 3550 is that it supports only two span
> sessions, each with one span destination ("monitor port"). Different
> switches have different span capabilities. For example, we're told
> that the cat6509s can span to multiple outputs.

Thanks.  A 6509 is far too expensive for this application.

>  >Something we have been thinking of is to just make the switch flood
>  >all packets to all ports (that would suit the application), but that
[..]
> Flooding ports has been working well for us on a 3550 equipped with 10
> GBIC ports and 2 copper GigE ports (C3550-I5Q3L2-M) and running
> 12.1(12c)EA1 code. This is done by statically configuring the MAC
> addrs of the interfaces you want to monitor onto the monitoring
> ports. The 3550 switch will then send the traffic to be monitored out
> all ports configured with the static MAC addrs.

We have been thinking of that (there are only two MACs involved, so 
the setup effort is small).

The interesting question is: can you put a static mac destination for
a single mac to two different ports?

> Thusly:
> mac-address-table static <mac addr 1> vlan 2 interface GigabitEthernet0/1
> mac-address-table static <mac addr 2> vlan 2 interface GigabitEthernet0/1

This maps "two different MACs to one port", but I'd need

mac-address-table static <mac addr 1> vlan 1 interface GigabitEthernet0/1
mac-address-table static <mac addr 1> vlan 1 interface GigabitEthernet0/2
mac-address-table static <mac addr 1> vlan 1 interface GigabitEthernet0/3
mac-address-table static <mac addr 1> vlan 1 interface GigabitEthernet0/4

I just tried this on a 3750G, and it doesn't work :-(

3750G(config)#mac-address-table static 00:80:C8:26:7F:EF vlan 1 int gi1/0/10
3750G(config)#mac-address-table static 00:80:C8:26:7F:EF vlan 1 int gi1/0/11
MAC address could not be added 
3750G(config)#

> This will flood the traffic for frames with mac addrs 1 and 2 out
> interface Gi0/1. We're seeing 1% CPU loads on the flooding switch, and
> things seem to be working fine for a set 4 input ports flooding to 6
> output ports that are variously configured. 

Cool.

> Four of the output ports each flood the mac addrs from the single ints
> connected to the four input ports. Two of the output ports are
> configured to each flood a different pair of mac addrs, corresponding
> to the interfaces on the endpoints of each of the two links being
> monitored.

If I understand you correctly, this is similar, but not exactly what
I'm aiming for.  Hmmm.

gert

-- 
USENET is *not* the non-clickable part of WWW!
                                                           //www.muc.de/~gert/
Gert Doering - Munich, Germany                             gert at greenie.muc.de
fax: +49-89-35655025                        gert at net.informatik.tu-muenchen.de

More information about the cisco-nsp mailing list