SPAN = Switch Port ANalyzer


  1. The source can either be one or more interfaces OR a VLAN, but cannot be a mixture of both in the same session.
  2. Up to 64 SPAN destination ports can be configured in a single switch.
  3. Switched or Routed ports can be configured as source or destination ports
  4. Within a single SPAN session, you cannot deliver traffic to a destination port when it’s sourced by a mix of SPAN and RSPAN source ports.
  5. A SPAN destination port cannot be a source port and vice versa.
  6. Only 1 SPAN/RSPAN session can send traffic to a single destination port.
  7. A SPAN destination port ceases to act as a normal switchport
  8. It’s possible to configure a trunk port as the source. All the VLAN’s will be monitored. To filter the monitored VLANs, use the “filter vlan” command
  9. Traffic that is routed from another vlan to a source vlan on the same switch, cannot be monitored (I read this as, if the switch is routing between vlans, you won’t see the traffic between them)

Receive SPAN

  • Only received traffic is forwarded to the destination port
  • Bypasses any ACL / QoS / Policing, etc policies. This is because the SPAN is only mirroring what the port receives. ACL’s, etc does not change what is received.

Transmit SPAN

  • Only transmitted traffic is forwarded to the destination port
  • INCLUDES any filtering with ACL / QoS / Policing, etc. This is because the switch is only transmitting what it should, which is what is being mirrored.

NOTE SPAN / RSPAN usually ignores certain layer 2 frames like CDP, BDPU, VTP, DTP, and PagP frames. To include those frames in the session, use the “encapsulation replicate” command.

Share This Page : Share on TwitterShare on FacebookShare on GooglePlusShare on PinterestShare on Linkedin