[c-nsp] Packet capturing above 1Gbps

Ramcharan, Vijay A vijay.ramcharan at verizonbusiness.com
Tue Apr 1 15:03:47 EDT 2008 

Thank you Phil and Mike.  

I heard back from Cisco. They say VACL captures at those rates are
supported and should not result in performance hits on the switch. I
probably should have mentioned that we already have an application
(Tealeaf) that will be used for analysis. 

I believe the VACL capture to 10Gbps port to a GigaVue-420 and then
split out to the analysis servers is a good approach. 
Much of the parts are already present - just need to get a conversation
going with Gigamon now. 
 
Vijay Ramcharan 
  
-----Original Message-----
From: Phil Mayers [mailto:p.mayers at imperial.ac.uk] 
Sent: April 01, 2008 13:20
To: Ramcharan, Vijay A
Cc: cisco-nsp at puck.nether.net
Subject: Re: [c-nsp] Packet capturing above 1Gbps

Ramcharan, Vijay A wrote:
> I am about to open a case with TAC regarding feasibility of using
either
> SPAN or VACL capture or some other method of capturing traffic
exceeding
> 1Gbps. 
> I am not even sure if it is possible to send this much captured
traffic
> to a 10Gbps port connected to something like a GigaVue-420 which can
> split the traffic into smaller, more manageable streams for analysis.
> The solution should be able to provide a full view of all packets as
the
> analysis stations receiving the captures will be providing reports on
> the captured data all the way up to the application layer. 
> 
> Realistically, traffic loads within the applicable VLAN may reach  up
to
> 3 Gbps at peak periods. 
> 
>>From your expericence, what are some of the ways in which this can be
> done? 

We are using a plain SPAN session on 6500s to mirror an SVI on an 
active/standby pair of 10gig ports facing our firewall:

ip vrf INSIDE
   description blah
ip vrf OUTSIDE
   description blah

int vlan4000
   ip vrf forwarding OUTSIDE
   ip address 192.168.1.x 255.255.255.252

int vlan4001
   ip vrf forwarding INSIDE
   ip address 192.168.2.y 255.255.255.252

int Te1/1
   description main port to firewall
   switchport mode trunk
   switchport trunk encap dot1q
   switchport trunk allowed 4000-4001

int Te1/2
   description 2nd port to firewall
   switchport mode trunk
   switchport trunk encap dot1q
   switchport trunk allowed 4000-4001

int Te1/3
   description facing sniffer

monitor session 1 source vlan 4001
monitor session 1 destination interface Te1/3

It seems to work fine.

I've also used ERSPAN to mirror very high-rate interfaces (>1Gbit/sec) 
and it seems to work fine, though it brings the capturing box to its
knees!

VACL is mutually exclusive with OAL (which we have configured) so I 
haven't tried that.

More information about the cisco-nsp mailing list