Mirroring a port long term?

zackburf · January 31, 2018, 08:12:26 AM

We have installed PRTG on our network recently and I was wondering if I set up a probe on one of our Layer 3 switches and let it mirror the uplink port what would be the long term effects? Im assuming it would basically double the work the Adtran is doing. Is this something that I can leave on at all times or should this only be done to troubleshoot in smaller windows.

deanwebb · January 31, 2018, 11:06:39 AM

I work for a vendor that can use a mirror port for NAC work. We have a number of customers that turn 'em on, leave 'em on, and have no issues. The mirroring is typically done on an uplink from the distribution switch to the core switch, but we also have monitor sessions on access --> distro traffic, as well as core --> WAN links, depending on the environment.

The trick is that if the switch gets busy, mirror traffic is the first to be impacted, since it's not essential work as far as the switch is concerned. You will see lots and lots of packet drops on the mirror port on a busy switch, and that's just normal for long-term stuff.

Otanx · January 31, 2018, 03:41:15 PM

As Mr. Webb said. SPANs get left on 24x7 for a lot of reasons. Usually this isn't an issue. There are some things to be aware of.

1. Mr. Webb also mentioned this, forwarding traffic out the SPAN is the least important thing the switch does. If it gets busy this suffers first.
2. If you are collecting from multiple ports, or are collecting rx and tx on one port, then sending them out one port you will drop traffic. Basic math if I source over 1G of traffic I have to drop some to send at 1G. Buffers in switches are not large.
3. SPAN sessions are limited on alot of systems. Sometimes only two are allowed. If you use on for PRTG then you get one left for troubleshooting issues, or connecting security or NAC gear. This is why Arista DANZ, or Gigamon, etc. are popular.
4. If using RSPAN or ERSPAN you need to account for the bandwidth it is going to use. Also it is really fun to setup a loop where you ERSPAN a port on switch A. It sends the traffic to switch B towards the end point. However, switch B has an ERSPAN setup and it sends to a device on the other side of switch A. Nope never seen this happen.

-Otanx

deanwebb · January 31, 2018, 04:58:56 PM

Quote from: Otanx on January 31, 2018, 03:41:15 PM
Also it is really fun to setup a loop where you ERSPAN a port on switch A. It sends the traffic to switch B towards the end point. However, switch B has an ERSPAN setup and it sends to a device on the other side of switch A. Nope never seen this happen.

-Otanx

wintermute000 · February 01, 2018, 05:06:08 AM

finally head of line blocking. On a lot of platforms if your span port chokes then that puts 'back pressure' on the port that you're spanning.

icecream-guy · February 01, 2018, 06:27:53 AM

Quote from: deanwebb on January 31, 2018, 04:58:56 PM
Quote from: Otanx on January 31, 2018, 03:41:15 PM
Also it is really fun to setup a loop where you ERSPAN a port on switch A. It sends the traffic to switch B towards the end point. However, switch B has an ERSPAN setup and it sends to a device on the other side of switch A. Nope never seen this happen.

-Otanx

Nothing better than spanning your span port.

Mirroring a port long term?

zackburf

deanwebb

Otanx

deanwebb

wintermute000

icecream-guy