How ACL's are applied in TCAM Entries for a SPAN Session and how they use that space.

[Jason.White]

I was searching regarding how many ACL's can be applied on a SPAN Session CISCO 5672UP, for that I have referred to the document mentioned below and there what I have noticed is that it is written that for a SPAN session with single switch port as source with both tx and Rx enable will have : "Current available TCAM entries/2 ". Please explain how many ACL's can be applied to a SPAN Session, how they use TCAM Entries and also how many TCAM entries are available in CISCO 5672UP.

 

Please visit page no. 6 of the Link Mentioned Below :-

https://www9.cisco.com/c/en/us/td/docs/switches/datacenter/nexus5600/sw/system_management/7x/b_5600_System_Mgmt_Config_7x/configuring_span.pdf

[+BudMan MVC]

So you want help with your homework??

[StrikedOut]

Google is your friend.

[sc302 Veteran]

aren't homework questions easy anymore?

 

anytime I have an issue with my kids homework due to how they are "teaching" them (stupid common core garbage), I use google to look it up. 

 

If you have problems understanding that google link, or for that matter how to google (I cannot teach you how to scan/look for keywords in documents as that is a learned trait apparently...if I could do that I could teach my relatively new hire who can't do that, they read word for word and takes them weeks to find information that takes me seconds or minutes...this goes along with knowing how to google). 

 

If this continues on how to do your homework, I will have to lock it up.   If you need further explanation on something, feel free to ask...we are not here to tell you how to do your homework, we are here for technical support.

[Jason.White]

I need to set up 24 span sessions  on nexus 5672up on 24 10gbps lines. So now I need to apply ip based acl with 2000 ip subnets and one protocol based acl on each of these 24 span sessions. And while I was going through the documentation I was stuck at the wording like tcam/2 or /3 for acl size so I needed to figure out that will my scenario work or not. And on that switch I just need to configure span and nothing else.

So can anyone let me know if the above will work.

[sc302 Veteran]

I will say this once more, we are not here for your homework.

 

If you really are stuck and you need this done asap, Cisco tac is very responsive and with a site that large and a switch of that magnitude there is a 99.999% chance that you will have that covered under a support agreement. Fwiw, if you are in dire straights you will have a tech on the phone with you in about 15 minutes. 

 

Cisco's documentation horrible, many times they give you 3/4-9/10 of the info you need. 

 

In real life I have never needed 24 span ports active at the same time.  I could never monitor 24 computers at the same time. Span in Cisco world is putting it in mirror or basically a troubleshooting mode so you can see packets go across with a capture tool. I have never needed 24 captures running at the same time.  I have common captures sitting dormant so that if I need to I can enable the capture, but in no means do I ever have more than 1 running at a time.  Usually you are troubleshooting a specific issue or you are capturing all packets on the switch. 

[+BudMan MVC]

  On 28/01/2017 at 06:13, sc302 said:

there is a 99.999% chance

Expand  

There is ZERO chance they do not have support on such switch with such connections..   If you need to setup something like 24 span ports.. Which I don't even think is possible to be honest..

 

Page 4

"SPAN supports 16 active bi-directional SPAN sessions"

 

You need to call TAC..

 

As to that wording.. That is you current tcam size divided by 2 or 3 or 4 depending on on the criteria in the left column is your limit on number of ACLs you can have.. you don't know what /2 means??  What is 1/2 or 1/3 or 2/4 etc. etc. Fractions not big while you were in school? hehehe

 

 

[Jason.White]

what if I can use it to setup just 16 span session and setup 2 acl on all of these span session as my first acl will be having 2000 rules i.e. 2000 cidr with /8 and /16 subnets in total and acl 2 will having port 53 permit rules. So will it work on 5672up.

[+BudMan MVC]

I don't know what is your current

 

"Current Available TCAM Entries"

 

And then divided that by 2..

 

2000 rules in acl...  Seems a bit much - you really need to call tac..

[sc302 Veteran]

this would never happen in the real world, lab simulations sure. 

 

 

Again we are not here for you homework.

 

But I will give you this bit...ACLs utilized with span ports are rules as to which you are applying to a span port to single out traffic. 

 

If I am looking for email traffic, I can either look for all email traffic between specific ips or I can exclude all email traffic and give me everything else.  ACLs are what defines what traffic is sent to the span port for you to be able to monitor.   I can include all vlans, specific vlans, or have it look for specific traffic.

 

Again, when you enable this you are looking for specific traffic or all traffic...you would never have 24, 16, or even 12 ports going at the same time unless you have 12 engineers looking at 12 completely different issues.  You would have to be really really big to have a need for this and have a really really really really big switch.   This goes above and beyond a 9 blade chassis.  I have been at sites that have 10's of 1000's of computers, never has there been more than 2 span ports enabled at the same time....rarely ever more than 1, there really is no need for it.  When filtering further, most people have the software on their computers filter out components further.   Always has been testing, troubleshooting, and verification....I don't know why you would ever have more than 2 dozen or so rules in your ACL, that is a lot to write out/single out.  At that point, I would capture everything then use the software on the capture computer to filter out the traffic I wouldn't want or would need.

[+BudMan MVC]

While you might want to duplicate traffic via a span to send traffic to some place for monitoring, etc.  I am with sc302.. I am having a hard time trying to come up with a scenario where you would use so many spans at the same time.

 

If you really need to monitor traffic that is flowing on that many ports at the same time - then you would normally use external taps vs having the switch do it.  Span ports can be a real hit on the performance of the switch..  ACLs on the span normally would be used to lower the traffic volume to get it inline with what your monitoring software could handle by weeding out all but the traffic your interested in, etc.  This is why they put limits on what you can do via span..

 

Other than some odd ball homework question I am not understanding how this could be a real world problem or something your trying to accomplish.  If so you seem to be going about it the wrong way.  What is it you want to do exactly and we can discuss ways to accomplish it.

 

To me 24 span ports on even the big baddest switch would seem to be a bad idea..  Especially if think you need to put 1000's of ACL's on it??

 

If this is something that is real world - again you should contact cisco TAC..  They can answer any questions you might have on doing such a thing, if possible then how you would do it, etc. etc.  While I am all for discussing how best to accomplish something - without details of what that is its hard to discussing.. If your just asking if you can do 24 span ports with 1000's of ACL's my easy answer is NO!  

[+John Teacake MVC]

Yeah, Why you would need to span that much data I dont know, Maybe your the NSA though. 

[sc302 Veteran]

  On 31/01/2017 at 12:44, John Teacake said:

Yeah, Why you would need to span that much data I dont know, Maybe your the NSA though. 

They would just forward all data. They would not have 1000 rules or have 24 span ports. 1 port, mirror all data, go.

[+BudMan MVC]

Yeah the NSA is here asking how many span ports they can do   That is a funny one... heheheh