Cisco switches support a feature known as SPAN (short for Switch Port Analyzer) which allows traffic received on an interface or VLAN to be sent to a single physical port. This feature can be tremendously useful for troubleshooting packet delivery across networks, deep packet inspection by security appliances, TCP SYN/ACK monitoring, and many other functions.

The SPAN destination options have improved since it was originally released. Cisco SPAN technically implies that the source and destination ports are local to the same switch. If the traffic destination is on another remote switch, Remote SPAN (RSPAN) is used. For RSPAN to function, a dedicated RSPAN VLAN must be configured between the local and remote switch to carry the monitored traffic. Finally, if the destination requires crossing one or more IP networks, then Encapsulated Remote SPAN (ERSPAN) can be used.


SPAN Topology


SPAN sources include at least one physical port or at least one VLAN on a switch. The destination port is configured locally on the same switch. Once configured, the SPAN source traffic is delivered to the SPAN destination port.

RSPAN Topology


RSPAN source rules are the same as SPAN; sources include at least one physical port or at least one VLAN on a switch. The difference is that the destination is the configured RSPAN VLAN, not a local physical port.

The RSPAN VLAN must be extended across the entire switched path between the source switch and the switch that contains the destination port. Verify the RSPAN VLAN is allowed and forwarding on all forwarding trunk connections between the source and destination.

ERSPAN Topology


ERSPAN builds upon RSPAN by encapsulating RSPAN traffic and creating a generic routing encapsulation (GRE) tunnel to route over an IP transport. ERSPAN was introduced in IOS-XE which runs on specific routing-capable platforms like the ASR 1000, Catalyst 6500, 7600, and the Nexus family of data center switches.

All SPAN types allow a wide range of source ports including switch ports, routed ports, trunk ports, access ports, and EtherChannel (portchannel) ports. Speaking of EtherChannels, both the EtherChannel interface itself or individual member ports can be used as the source. When a VLAN is used as the source, all active interfaces within the VLAN are are monitored. If interfaces are added or removed, the participating interfaces are dynamically updated.

SPAN Requirements

SPAN, RSPAN, and ERSPAN require several conditions in order for traffic to be monitored.

  • SPAN sources can be one or more physical ports OR a single VLAN, not a mix of the two.
  • A SPAN source port cannot also be a destination port. Likewise, a destination SPAN port cannot be a source port.
  • Only one SPAN/RSPAN/ERSPAN session can mirror traffic to a single destination port. No sharing destination ports.
  • When trunk ports are used as the SPAN source, traffic from all VLANs is monitored by default. The optional filter vlan command can be added to limit which VLANs on the trunk will be monitored.
Avoid destination traffic overloading. If you are sourcing traffic from many individual ports or a whole VLAN and mirroring the data to a single switch port, the destination interface can become saturated quickly.

SPAN Transmit & Receive Considerations

SPAN, RSPAN, and ERSPAN support three different monitoring modes: transmitted, received, and both. The default operation is to monitor both the traffic exiting (transmit) and entering (receiving) a source port or VLAN. Each source can optionally be modified to only capture transmit or receive traffic.


Receive means all traffic entering a source switch port or VLAN. The traffic will be be copied and sent to the SPAN destination BEFORE any modifications (like ACL/VACL filter, QoS, or policing) occurs.


Transmit means all traffic leaving a source switch port or VLAN. The traffic will be be copied and sent to the SPAN destination AFTER any modifications (like ACL/VACL filter, QoS, or policing) occurs. This means that the SPAN transmit traffic that is forwarded to the SPAN destination may not contain all transmit traffic – depending on local policies applied.

SPAN also discards certain types of control-plane traffic by default. SPAN/RSPAN sessions typically do not include CDP, Spanning Tree BPDUs, VTP, DTP, and PAgP frames. If you need that traffic included in the monitored session, the encapsulation replicate command should be configured.

SPAN Destination Restrictions

SPAN, RSPAN, and ERSPAN share common destination port restrictions and conditions. The following list contains the most important:

  • A SPAN destination port cannot also be a source port or be a member of a source VLAN.
  • When a destination port is specified in the configuration, the existing interface configuration is overwritten. When the destination port is removed from the SPAN configuration, the original interface configuration is restored.
  • SPAN destination ports do not support control-plane protocols like CDP, Spanning Tree, VTP, or DTP.
  • Destination ports are generally incompatible with layer 2 security features like port security and private VLANs. 802.1x authentication is also unsupported.

Simple SPAN Configuration Example

The first SPAN configuration will build a monitored session that captures all traffic on interface FastEthernet 1/0/20 and mirror that to interface FastEthernet 1/0/25. This is a typical configuration used for simple application traffic troubleshooting at a local site.

MDF1#show monitor session all
No SPAN configuration is present in the system.

MDF1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
MDF1(config)#monitor session 1 source interface fa1/0/20
MDF1(config)#monitor session 1 destination interface fa1/0/25
MDF1#show monitor session all
Session 1
Type : Local Session
Source Ports :
Both : Fa1/0/20
Destination Ports : Fa1/0/25
Encapsulation : Native
Ingress : Disabled

Complex SPAN Configuration Example

In this example we configure the local switch to send all captured traffic to interface fa1/0/26 that meets the following requirements:

  • Sent on interface FastEthernet 1/0/21.
  • Received on interface FastEthernet 1/0/22.
  • Sent and received on trunk interface FastEthernet 1/0/23.
  • Encapsulation protocol traffic should be preserved in the SPAN.
  • VLANs 10, 50, and 99 should not be monitored on trunk interface FastEthernet 1/0/23.

MDF1(config)#monitor session 10 source interface fa1/0/21 tx
MDF1(config)#monitor session 10 source interface fa1/0/22 rx
MDF1(config)#monitor session 10 source interface fa1/0/23
MDF1(config)#monitor session 10 filter vlan 10
MDF1(config)#monitor session 10 filter vlan 50
MDF1(config)#monitor session 10 filter vlan 99
MDF1(config)#monitor session 10 destination interface fa1/0/26 encapsulation replicate

MDF1#show monitor sess 10
Session 10
Type : Local Session
Source Ports :
RX Only : Fa1/0/22
TX Only : Fa1/0/21
Both : Fa1/0/23
Destination Ports : Fa1/0/26
Encapsulation : DOT1Q
Ingress : Disabled
Filter VLANs : 10,50,99

RSPAN Configuration Example

ERSPAN is configured very similarly to traditional SPAN. In this example, source traffic from two different IDF switches will send monitored traffic to destination port FastEthernet 1/0/48 on switch MDF1. The monitored traffic will use RSPAN VLAN 400 to as a transport between the IDF and MDF switches.

The configuration will monitor the following traffic:

  • IDF1 – all traffic received on VLAN 20,21,and 22.
  • IDF1 – all traffic sent and received on VLAN 99.
  • IDF2 – all traffic received on VLAN 1

IDF1#configure terminal
IDF1(config)#vlan 400
IDF1(config-vlan)#remote span
IDF1(config)#monitor session 2 source vlan 20-22 rx
IDF1(config)#monitor session 2 source vlan 99
IDF1(config)#monitor session 2 destination remote vlan 400

IDF2#configure terminal
IDF2(config)#vlan 400
IDF2(config-vlan)#remote span
IDF2(config)#monitor session 3 source vlan 1 rx
IDF2(config)#monitor session 3 destination remote vlan 400

MDF1#configure terminal
MDF1(config)#vlan 400
MDF1(config-vlan)#remote span
MDF1(config)#monitor session 40 source remote vlan 400
MDF1(config)#monitor session 40 destination interface fa1/0/48

MDF1#show monitor session 40
Session 40
Type : Remote Destination Session
Source RSPAN VLAN : 400
Destination Ports : Fa1/0/48
Encapsulation : Native
Ingress : Disabled

Notice in the RSPAN configuration above that different session IDs are used on each of the three switches. The session ID is only locally relevant, so using different SPAN session IDs (or the same) is acceptable.

ERSPAN Configuration Example

In this example, ASR1 is configured to monitor traffic transmitted out interface Gig0/0/0. The monitored traffic will be encapsulated in GRE by ASR1 and routed to ASR2. The capture stream is then delivered to interface Gig2/0/1 on ASR2.

Note that the ERSPAN source configuration requires a no shutdown to activate the session. If the destination interface is shutdown, the SPAN session will also not come up. After the no shut command is issued on the ERSPAN source session and destination interface, the SPAN session will come up as well.

ASR1(config)#monitor session 1 type erspan-source
ASR1(config-mon-erspan-src)#source interface gi0/0/0 tx
ASR1(config-mon-erspan-src)#no shutdown
ASR1(config-mon-erspan-src-dst)#erspan-id ?
<1-1023> Erspan ID

ASR1(config-mon-erspan-src-dst)#erspan-id 501
ASR1(config-mon-erspan-src-dst)#ip address
ASR1(config-mon-erspan-src-dst)#origin ip address

ASR2(config)#monitor session 11 type erspan-destination
ASR2(config-mon-erspan-dst)#destination interface gi2/0/1
ASR2(config-mon-erspan-dst)#no shut
ASR2(config-mon-erspan-dst-src)#erspan-id 501
ASR2(config-mon-erspan-dst-src)#ip address

SPAN Verification

To show the status of a SPAN, RSPAN, or ERSPAN session, issue the show monitor session ID command. Here is an example of the show monitor session output of ASR1 from the ERSPAN source configuration above.

ASR1#show monitor session 1
Session 1
Type : ERSPAN Source Session
Status : Admin Enabled
Source Ports :
TX Only : Gi0/0/0
Destination IP Address :
Destination ERSPAN ID : 501
Origin IP Address :

Author Aaron

Aaron knows networks. He's been involved in building and supporting world-class data networks for the past 10 years - from international cloud service providers to Fortune 50 data centers. Aaron consults independently and is focused on building the best training platform available.

More posts by Aaron

Join the discussion 2 Comments

  • Jesus says:

    Hi Aaron
    There is some cisco documentation explaining that filter command selects Vlans to monitor, so the vlan list on the filter command will be the only ones to be monitor and mirrored, as far as I understand.

    Can you clarificar this point?

    • Aaron says:

      Hi Jesus – I mentioned the optional filter tag in the last bullet point under “SPAN Requirements” above. It does exactly as you described. The VLANs listed with the filter tag will be the only VLANs monitored on the trunk.

Leave a Reply