[nsp] multiple port monitoring - switch sought

Charles Spurgeon c.spurgeon at mail.utexas.edu
Wed Dec 10 14:29:00 EST 2003 

 >Are there (affordable) cisco switches that can do a SPAN from a single
 >source to four different destinations ports?  With full GE line rate
 >*and* capable of taking a ZX-GBIC?  In theory, the 4912G or 3550-12T
 >should be able to do it, but I have none of them to test whether
 >"single source port, 4 destination ports" SPAN is going to work.

Our experience with the 3550 is that it supports only two span
sessions, each with one span destination ("monitor port"). Different
switches have different span capabilities. For example, we're told
that the cat6509s can span to multiple outputs.

 >Something we have been thinking of is to just make the switch flood
 >all packets to all ports (that would suit the application), but that
 >isn't going to work - the destination MAC of all packets will appear
 >sooner or later on the left side (input), so the switch knows that it
 >does not have to forward the packet.   Switching off MAC learning on
 >the ingress port might work, but I don't think it can be done with CatOS
 >or IOS switches.  Can it?  (Heck, all we want is a "Gbit *hub*", but I 
 >know that those do not exist).

Flooding ports has been working well for us on a 3550 equipped with 10
GBIC ports and 2 copper GigE ports (C3550-I5Q3L2-M) and running
12.1(12c)EA1 code. This is done by statically configuring the MAC
addrs of the interfaces you want to monitor onto the monitoring
ports. The 3550 switch will then send the traffic to be monitored out
all ports configured with the static MAC addrs.

Thusly:
mac-address-table static <mac addr 1> vlan 2 interface GigabitEthernet0/1
mac-address-table static <mac addr 2> vlan 2 interface GigabitEthernet0/1

This will flood the traffic for frames with mac addrs 1 and 2 out
interface Gi0/1. We're seeing 1% CPU loads on the flooding switch, and
things seem to be working fine for a set 4 input ports flooding to 6
output ports that are variously configured. 

Four of the output ports each flood the mac addrs from the single ints
connected to the four input ports. Two of the output ports are
configured to each flood a different pair of mac addrs, corresponding
to the interfaces on the endpoints of each of the two links being
monitored.

-Charles

Charles E. Spurgeon / UTnet
UT Austin ITS / Networking
c.spurgeon at its.utexas.edu / 512.475.9265

More information about the cisco-nsp mailing list