I'm trying to capture traffic from a core switch, however the traffic of a single VLAN already exceed 1.5GBps, so not possible to configure
Port mirror for that VLAN. Network team suggest try to connect the SPF+ link.
However the AMD also has other 1GB sniffing ports for other VLAN span port. Anyone has experience that combine two types of capture
media? Manual said 1G and 10G can't coexist but not sure if my case is exceptional.
Any comments ? Much appreciated .
As usual - it depends.
If you have use cards that does 100/1000/10000 then you should be OK - as long as they are all the same.
Tested Cards "However, you can monitor 1 GbE networks and 10 GbE networks on the same AMD when using a 10 GbE card as long as the 10 GbE NIC also supports 1 GbE data rates and you use the same custom 10 GbE driver to support both data rates."
Anyway - if you start gettting a lot of feeds into your AMD, I would recommend looking at a Network Packet Broker as this would enable you to have control of the feeds. If you don't do that, you might end up with a AMD that spends all it's power to filter OUT all the packets IT DOESN'T want.
Ideally - you want an AMD that only gets exactly the data you want analyzed and doesn't have to spend time/power on filtering away duplicates or unwanted traffic.
Thanks for your reply. The existing 1G sniffing port are all 100/1000 running native driver.
If I enable the 10Gb SFP+ then it should conflict on the AMD driver.
Need to think of other ways to capture the core switch traffic.
Have a good day.
we had something like this at a customer last year. We have a 1GbE and a 10 GbE card in out AMD.
rtminst gives us the same driver type for both cards but we needed to enable native driver to start capturing. With native drivers it works very well with the current load on the AMD.
As Friedrike say - it works!
The only thing you need to keep in mind with the native drivers is to disable all the "cool" features of the cards such as the ability to pre/post process packets. This is sometimes called offloading or other marketing terms and basically it means that the hardware in the NIC does a number of manipulations of the packets, such as gather several incoming packets and pile them up into a JumboFrame and send it to the decode - hence the AMD will incorrectly report JumboFrames on the network.
But if you take care and set them up right, then it should work.
Hi Friederike and Ulf,
Thanks for your suggestions and reminders.
Actually I'm a bit doubt on the "native" driver. I tried "native" with copper port but not sure how SFP+ perform....some bad experience with "native" in the past.
There's just what I wrote above to keep in mind and also that the newer versions of RH works better.
Actually - the version now 12.3.1 is the last to support RH5 so you might as well start planning an update to 6.5 or something similar. AMD General Requirements#RecommendedRedHatEnterpriseLinuxVersionsandReleases