The ability to hook a protocol analyzer up to a switch port and have it mirror other ports is a cool feature. SPAN (Switched Port Analyzer), a term actually coined by Cisco, has become synonymous with port mirroring.
Quite frankly, I love the SPAN feature and as an analysis vendor we wholeheartedly support this feature. There’s no additional cost for tap hardware, you can mirror any port at will, full duplex ports are merged into one stream by the switch, and you can monitor all ports assigned to a VLAN at that switch.
Don’t get me wrong, I also like external hardware taps for a couple of important reasons: 1) timestamps are more accurate (there is zero packet delay due to the switch) and 2) you can capture packets with physical errors (switches discard all Ethernet frames received with CRC errors).
One could also argue that you need to worry about full-duplex traffic or multiple ports overrunning a half-duplex SPAN port where all packets need to be transmitted to the analyzer, but prudent SPAN usage and configuration (number of ports monitored, filtering, etc.) along with an understanding of your packet volume (use your analyzer!) can help address this concern.
That brings us to performance. Is your switch impacted by spanning?
I get a chuckle out of statements from competitive white papers that claim that the CPU in a switch must not only forward a packet but also duplicate it when spanning. Apparently the authors are not aware of how Cisco designs their switches. For example, Cisco has not one, but three different spanning architectures depending on the switch family and makes this clear in information readily available from their web site.
For instance, on the Catalyst 5000/5500 and 6000/6500 series, when a packet is received it’s transmitted on the internal bus and every line card gets a copy – no CPU is involved in the copy. In fact, Cisco notes that “whether one or several ports eventually transmit the packet has absolutely no influence on the switch operation. Therefore, considering this architecture, the SPAN feature has no impact on the performance.”
I do draw the line at RSPAN (remote span) feature, though, but that’s a subject for another time.
Meanwhile I can’t wait for those white papers to be updated.
Comments