[c-nsp] Packet capturing above 1Gbps
Phil Mayers
p.mayers at imperial.ac.uk
Tue Apr 1 14:19:48 EDT 2008
Ramcharan, Vijay A wrote:
> I am about to open a case with TAC regarding feasibility of using either
> SPAN or VACL capture or some other method of capturing traffic exceeding
> 1Gbps.
> I am not even sure if it is possible to send this much captured traffic
> to a 10Gbps port connected to something like a GigaVue-420 which can
> split the traffic into smaller, more manageable streams for analysis.
> The solution should be able to provide a full view of all packets as the
> analysis stations receiving the captures will be providing reports on
> the captured data all the way up to the application layer.
>
> Realistically, traffic loads within the applicable VLAN may reach up to
> 3 Gbps at peak periods.
>
>>From your expericence, what are some of the ways in which this can be
> done?
We are using a plain SPAN session on 6500s to mirror an SVI on an
active/standby pair of 10gig ports facing our firewall:
ip vrf INSIDE
description blah
ip vrf OUTSIDE
description blah
int vlan4000
ip vrf forwarding OUTSIDE
ip address 192.168.1.x 255.255.255.252
int vlan4001
ip vrf forwarding INSIDE
ip address 192.168.2.y 255.255.255.252
int Te1/1
description main port to firewall
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed 4000-4001
int Te1/2
description 2nd port to firewall
switchport mode trunk
switchport trunk encap dot1q
switchport trunk allowed 4000-4001
int Te1/3
description facing sniffer
monitor session 1 source vlan 4001
monitor session 1 destination interface Te1/3
It seems to work fine.
I've also used ERSPAN to mirror very high-rate interfaces (>1Gbit/sec)
and it seems to work fine, though it brings the capturing box to its knees!
VACL is mutually exclusive with OAL (which we have configured) so I
haven't tried that.
More information about the cisco-nsp
mailing list