[c-nsp] Re: 6500 Port Monitor

Greg Schwimer gschwimer at godaddy.com
Tue Jan 18 19:13:41 EST 2005


I've seen your problem quite a few times.  

If you configure a 100Mbps port as a monitor destination port, and the
traffic for the source port is *over* 100Mbps combined in/out (i.e.
60Mbps in/105Mbps out on source port), you effectively slow the switch
down to the unidirectional speed of the destination port, in this case
100Mbps.  I'm told this is due to the fact that the CPU needs to become
involved in the drop process on the destination port.  

This can be particularly frustrating when monitoring a port-channel. 
I've seen a Cat6k w/ Sup-720 become very slow to manage at console and
begin dropping pings due to this when monitoring a combined in/out
bandwidth of 400Mbps on a 100Mbps destination port.

We've been told this is a design caveat, and that taps should be used
for higher bandwidth monitoring applications..  Workaround appears to
be the use of VACLs to prune out only the traffic you'd like to see on
the destination port.  We have not tried this (yet).

> -------- Original Message --------
> Subject: [c-nsp] Re: 6500 Port Monitor
> From: "Ziv Mosery" <zmosery at mercury.com>
> Date: Tue, January 18, 2005 2:21 pm
> To: "Tim Stevenson" <tstevens at cisco.com>, cisco-nsp at puck.nether.net,
> cisco-nsp at puck.nether.net
> 
> First for your questions:
> The card is WS-X6148-GE-TX with Version 12.1(20)E2 IOS.
> Now: I had 2 destinations, as soon as I removed one destination and was left
> with one I was able to receive all the traffic and wasn't limited.
> If you say I can have mixed-speed destinations, then my problem is about
> 200MB limitation, or you are wrong and I can't have mixed-speed on the
> destination site.
> I guess it's one of those, the question is which.
> 
> Ziv
> 
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net
> [mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Tim Stevenson
> Sent: Tuesday, January 18, 2005 7:30 PM
> To: cisco-nsp at puck.nether.net; cisco-nsp at puck.nether.net
> Subject: [c-nsp] Re: 6500 Port Monitor
> 
> Please also let me know the linecard model number for the destination ports 
> - is it 6148-GETX or 6548-GETX by chance?
> 
> Tim
> 
> At 09:22 AM 1/18/2005, Tim Stevenson proclaimed:
> >There should be no limitations as described below on 6500 sup2 - you can 
> >have mixed-speed span destinations and you can have the destination ports 
> >in whatever vlan you choose (they ultimately don't really belong to any 
> >vlan anyway once configured as a span destination).
> >
> >What s/w version are you running on the sup2? I can try to reproduce this 
> >100M limit problem if you let me know the OS & version, but as I say, this 
> >is not expected behavior.
> >
> >Tim
> >
> >At 07:27 AM 1/18/2005, cisco-nsp-request at puck.nether.net proclaimed:
> >>Message: 3
> >>Date: Tue, 18 Jan 2005 09:36:14 -0500
> >>From: "Todd, Douglas M." <DTODD at PARTNERS.ORG>
> >>Subject: [c-nsp] Re: 6500 Port Monitor
> >>To: "'Voll, Scott'" <Scott.Voll at wesd.org>, Ziv Mosery
> >>      <zmosery at mercury.com>,   Piltrafilla <piltrafilla at gmail.com>
> >>Cc: cisco-nsp at puck.nether.net
> >>Message-ID:
> >>      <59C772E2D8EDF345AE1601F5B60B3CB50D3DB1 at PHSXMB7.partners.org>
> >>Content-Type: text/plain
> >>
> >>Hey folks:
> >>
> >>We run spans/monitors ports all the time and we have not found such a
> >>limitation.  One would want to have the monitor port in the same vlan as
> the
> >>monitor source to catch ALL traffic. It seems that you will catch more 
> >>traffic
> >>by moving the port in the same vlan as the span, just seems to be the 
> >>better way
> >>to sniff. I would check to make sure that you are not getting errors on
> your
> >>port as this might be one cause of your traffic limitation.
> >>
> >>==DMT>
> >>
> >>%SIG%
> >>
> >>Douglas M. Todd, Jr.
> >>Network Engineering (MGH/CNY/NSMC/MCLEAN)
> >>Partners Health Care
> >>Building 149 13th Street
> >>Location: 149-10-10056E
> >>Charlestown, MA 02129-2000 (MGH)
> >>(T): 617.726.1403
> >>(F): 617.724.9871
> >>Security:
> >>Verisign S/N: 7b1bb86860eb26a53b57c8acb8e9fc4f
> >>pgp: search keyserver for: dtodd at partners.org
> >>
> >>--------------------------------------------------------------------------
> ------
> >>----
> >>The information transmitted in this email is intended only for the person
> or
> >>entity
> >>to which it is addressed and may contain confidential and/or privileged
> >>information.
> >>Any review, retransmission, dissemination or other use of, or taking of
> any
> >>action
> >>in reliance upon this information by persons or entities other than the 
> >>intended
> >>
> >>recipient is prohibited.  If you received this email in error, please
> contact
> >>the
> >>sender and delete the material from any computer.
> >>
> >>old>>-----Original Message-----
> >>old>>From: cisco-nsp-bounces at puck.nether.net
> >>old>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Voll, Scott
> >>old>>Sent: Tuesday, January 18, 2005 07:16
> >>old>>To: Ziv Mosery; Piltrafilla
> >>old>>Cc: cisco-nsp at puck.nether.net
> >>old>>Subject: [c-nsp] Re: 6500 Port Monitor
> >>old>>
> >>old>>Someone can correct me if I'm wrong, but I believe the
> >>old>>limit is that both ports have to be in the same Vlan.
> >>old>>
> >>old>>Scott
> >>old>>
> >>old>>-----Original Message-----
> >>old>>From: cisco-nsp-bounces at puck.nether.net
> >>old>>[mailto:cisco-nsp-bounces at puck.nether.net] On Behalf Of Ziv Mosery
> >>old>>Sent: Tuesday, January 18, 2005 2:06 AM
> >>old>>To: Piltrafilla; Ziv Mosery
> >>old>>Cc: cisco-nsp at puck.nether.net
> >>old>>Subject: [c-nsp] Re: 6500 Port Monitor
> >>old>>
> >>old>>Thanks I found the solution but I don't know what the problem was.
> >>old>>I had 2 destination ports both 10/100/1000 ports, one on
> >>old>>1000MB and one on 100MB.
> >>old>>Was I limited because of the 100MB port?
> >>old>>Or is there some kind of limit after all?
> >>old>>After I did monitor only to the 1000MB port I was able to
> >>old>>get 160MB on the monitor, my probe isn't able to get more
> >>old>>than that so I don't know If there is a 200MB limit or not.
> >>old>>
> >>old>>Thanks,
> >>old>>Ziv
> >>old>>
> >>old>>
> >>old>>-----Original Message-----
> >>old>>From: Piltrafilla [mailto:piltrafilla at gmail.com]
> >>old>>Sent: Tuesday, January 18, 2005 11:58 AM
> >>old>>To: Ziv Mosery
> >>old>>Cc: cisco-nsp at puck.nether.net
> >>old>>Subject: Re: [c-nsp] 6500 Port Monitor
> >>old>>
> >>old>>I have done vlan monitor sessions on that way without any
> >>old>>bandwidth limitation on SupII and Sup720. Could you paste
> >>old>>destination interface configuration and 'sh ip interface'
> >>old>>information?
> >>old>>
> >>old>>Regards,
> >>old>>
> >>old>>On Tue, 18 Jan 2005 10:38:06 +0200, Ziv Mosery
> >>old>><zmosery at mercury.com>
> >>old>>wrote:
> >>old>>> Hi all,
> >>old>>>
> >>old>>> I am trying to do port monitoring from a VLAN to a GigE
> >>old>>destination.
> >>old>>>
> >>old>>> For some reason I am don't get at the destination more
> >>old>>then 100MB.
> >>old>>>
> >>old>>> Any reason for that?
> >>old>>>
> >>old>>> Switch details: 6500 Sup2 MSFC2.
> >>old>>>
> >>old>>> Configuration used:
> >>old>>>
> >>old>>> monitor session 2 source vlan 13
> >>old>>>
> >>old>>> monitor session 2 destination interface Gi10/45
> >>old>>>
> >>old>>> Anyone knows of limitations that the switch might have
> >>old>>regarding port
> >>old>>> monitor?
> >>old>>>
> >>old>>> Thanks in advance,
> >>old>>>
> >>old>>> Ziv
> >>old>>>
> >>old>>>
> >>old>>___________________________________________________________
> >>old>>___________
> >>old>>> This email has been scanned by the MessageLabs Email
> >>old>>Security System.
> >>old>>> For more information please visit
> >>old>>http://www.messagelabs.com/email
> >>old>>>
> >>old>>___________________________________________________________
> >>old>>___________
> >>old>>> _______________________________________________
> >>old>>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>old>>> https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>old>>> archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>old>>>
> >>old>>
> >>old>>___________________________________________________________
> >>old>>___________
> >>old>>This email has been scanned by the MessageLabs Email
> >>old>>Security System.
> >>old>>For more information please visit
> >>old>>http://www.messagelabs.com/email
> >>old>>___________________________________________________________
> >>old>>___________
> >>old>>_______________________________________________
> >>old>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>old>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>old>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>old>>
> >>old>>_______________________________________________
> >>old>>cisco-nsp mailing list  cisco-nsp at puck.nether.net
> >>old>>https://puck.nether.net/mailman/listinfo/cisco-nsp
> >>old>>archive at http://puck.nether.net/pipermail/cisco-nsp/
> >>old>>
> >
> >
> >
> >Tim Stevenson, tstevens at cisco.com
> >Routing & Switching CCIE #5561
> >Technical Marketing Engineer, Catalyst 6500
> >Cisco Systems, http://www.cisco.com
> >IP Phone: 408-526-6759
> >********************************************************
> >The contents of this message may be *Cisco Confidential*
> >and are intended for the specified recipients only.
> 
> 
> 
> Tim Stevenson, tstevens at cisco.com
> Routing & Switching CCIE #5561
> Technical Marketing Engineer, Catalyst 6500
> Cisco Systems, http://www.cisco.com
> IP Phone: 408-526-6759
> ********************************************************
> The contents of this message may be *Cisco Confidential*
> and are intended for the specified recipients only.
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
> 
> ______________________________________________________________________
> This email has been scanned by the MessageLabs Email Security System.
> For more information please visit http://www.messagelabs.com/email 
> ______________________________________________________________________
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/



More information about the cisco-nsp mailing list