[Snort-users] Cisco 6500 SPAN limitations, dropping packets, VACLs, RSPAN, real world

Jack McDonough JMcDonough at ...11730...
Tue Apr 27 21:27:07 EDT 2004

TO:    Snort Users,

From: Jack McDonough, Knowledge Works, Inc.

Would really appreciate feedback, from anyone with hands on knowledge -
primarily with Cisco 6500s and:

-  local SPAN session limitations, when source is both tx/rx ( I have
researched this, trying to compare notes)

- using RSPAN to mirror traffic on a local switch, does this work well?

- using VACLs, with specific TCP ports filtered - the scenario is with a
local machine set to sniff on the switch

Thanks in advance for your help and assistance.

Some folks have told me that packets can be dropped on local SPAN sessions
even when the destination port is not over subscribed. But I have heard this
from people that may have an axe to grind or they want to sell you TAPS,
(Test Access Points)or THEIR solution.

I have heard:
SPAN ports are the third priority, after switching and routing, so mirrored
packets can be dropped, but I have not seen a Cisco reference.

Some folks have told me that Cisco has problems with their SPAN ports acting
erratically, but this is not openly discussed, and is supposed "to be a big
secret", because " the Cisco people are certified and will not "say anything
bad" about Cisco.

Here is an excerpt from a thread:
"As Cisco is dropping "mirror" ports and going to capture ports, I now
see vlan tagged traffic. The network folks will not let me use mirror
ports any more since Cisco is removing that in future releases of
their IOS, from what I hear."

Does anybody know anything about the above statement, about Cisco dropping
SPAN or "mirror ports" and going to capture ports? Is anyone not using SPAN
for this reason?

Also, does anyone know if the session limitations for Local SPAN on Cisco
6500s are substantially more limited then on other vendors switches?

Any ideas on what switch or switches to use as a TAP aggregation device,
when we bring back multiple TAPS to a Switch? Which vendor might have less
SPAN limitations?

I have been doing a bit of research on this, so if anyone has experience and
wants to share, I can be reached at 617 877-5560 and I would be happy to
compare notes.

In reference, to the link ***below, I have talked to 9 people about the
following reference, and I have 10 conflicting opinions as to what "egress
sources" means. I think I know what it means, anyone care to share their
viewpoint on the definition?


Local SPAN and RSPAN Source and Destination Limits
These are the local SPAN and RSPAN source and destination limits:

   Local SPAN Sessions  RSPAN Source Sessions  RSPAN Destination Sessions
Egress sources

Supervisor Engine 720

Supervisor Engine 2
(No remote SPAN source session configured)
(No local SPAN egress source session configured)

(Remote SPAN source session configured)
(Local SPAN egress source session configured)

Ingress sources

Destinations per session

Thanks Much,


More information about the Snort-users mailing list