SPAN & RSPAN — Port Mirroring

Modern switches forward frames only to the destination port — unlike hubs, which flooded every frame to every port. This efficiency is a problem for network analysts: a packet capture tool plugged into a spare switch port sees almost nothing. SPAN (Switched Port Analyser) solves this by instructing the switch to copy frames from one or more source ports to a designated destination port where a sniffer such as Wireshark is connected.

RSPAN (Remote SPAN) extends this capability across multiple switches — mirrored traffic is encapsulated in a dedicated VLAN and forwarded over trunk links to a remote switch where the analyser resides. This allows a single monitoring station to capture traffic from any switch in the campus without physically moving the sniffer.

Before starting this lab, you should be comfortable with VLAN creation and trunk port configuration — RSPAN depends on both. For traffic filtering on the captured stream, see Standard ACL Configuration and Extended ACL Configuration. For logging events triggered by port activity, see Syslog Configuration.

1. SPAN & RSPAN — Core Concepts

How SPAN Works

When a SPAN session is configured, the switch hardware duplicates every frame that ingresses or egresses the specified source ports and delivers a copy to the destination port. The original frame is still forwarded normally — SPAN does not interrupt production traffic. The destination port is placed in a special monitoring state: it does not participate in STP, does not send or receive normal traffic, and forwards only mirrored frames.

  Local SPAN — same switch:

  [Server: Fa0/1] ──────────────────────────────────────────┐
                                                        NetsTuts_SW1
  [PC: Fa0/2] ──────────────────────────────────────────────┤
                                                             │ Fa0/10 — Destination port
                                                        [Laptop running Wireshark]

  monitor session 1 source interface Fa0/1 both
  monitor session 1 source interface Fa0/2 both
  monitor session 1 destination interface Fa0/10

  Result: Wireshark on Fa0/10 sees ALL frames to/from Fa0/1 and Fa0/2.

SPAN Terminology

Term	Definition	Notes
Source port	The port(s) whose traffic is being copied	Can be access or trunk ports; monitored in one or both directions
Destination port	The port where the copy is delivered — connects to the analyser	Exits STP; cannot be a source port in the same session; cannot carry normal traffic
Monitor session	A numbered SPAN configuration instance (1–66 on most platforms)	Multiple sessions can coexist — each has independent sources and destinations
Ingress (`rx`)	Mirror only traffic received on the source port	Captures traffic arriving from the connected device
Egress (`tx`)	Mirror only traffic transmitted out the source port	Captures traffic the switch is sending to the connected device
Both (`both`)	Mirror ingress and egress — the default when direction is omitted	Most common choice for full traffic visibility
RSPAN VLAN	A special VLAN used exclusively to carry mirrored frames between switches	Must be configured on all switches in the path; no normal hosts allowed

SPAN vs RSPAN — Key Differences

Feature	Local SPAN	RSPAN
Source and destination location	Same switch	Different switches — any hop count apart
Transport mechanism	Hardware copy within the switch fabric	Dedicated RSPAN VLAN carried over trunk links
VLAN required	No	Yes — one RSPAN VLAN per session
Source switch config	`monitor session` with source + destination	`monitor session` with source + destination VLAN (not port)
Destination switch config	N/A	`monitor session` with source VLAN + destination port
Trunk requirement	No	Yes — RSPAN VLAN must be allowed on all trunks between source and destination switch
STP on RSPAN VLAN	N/A	STP is disabled on the RSPAN VLAN by design

SPAN Session Limits (Catalyst Platforms)

Platform	Max SPAN Sessions	Max Source Ports per Session	Max Destination Ports per Session
Catalyst 2960/2960X	2	All ports	1
Catalyst 3560/3750	2 local + 66 RSPAN	All ports	1 per session
Catalyst 4500/6500	Up to 64	All ports	Multiple (ERSPAN supported)

2. Lab Topology & Scenario

This lab covers three scenarios: local SPAN on a single switch, RSPAN across two switches over a trunk, and filtering SPAN traffic by direction. All labs use the following topology:

         192.168.10.0/24                          192.168.10.0/24
  [Server: 192.168.10.10]                  [PC3: 192.168.10.30]
         Fa0/1                                    Fa0/1
          |                                         |
     NetsTuts_SW1 ─────── Trunk (Gi0/1) ─────── NetsTuts_SW2
          |                                         |
         Fa0/10 (Destination — local SPAN)         Fa0/24 (Destination — RSPAN)
          |                                         |
  [Wireshark Laptop A]                     [Wireshark Laptop B]

  NetsTuts_SW1 ports:
    Fa0/1  — Server (source)
    Fa0/2  — PC1: 192.168.10.11 (source)
    Fa0/3  — PC2: 192.168.10.12 (source)
    Fa0/10 — Wireshark Laptop A (local SPAN destination)
    Gi0/1  — Trunk to NetsTuts_SW2

  NetsTuts_SW2 ports:
    Fa0/1  — PC3 (source — RSPAN scenario)
    Fa0/24 — Wireshark Laptop B (RSPAN destination)
    Gi0/1  — Trunk to NetsTuts_SW1

  Scenario 1: Local SPAN — mirror Fa0/1 and Fa0/2 on SW1 to Fa0/10
  Scenario 2: RSPAN — mirror Fa0/1 on SW1 to Fa0/24 on SW2
  Scenario 3: Ingress-only SPAN — monitor only inbound traffic on a trunk

3. Step 1 — Local SPAN Configuration

Local SPAN mirrors traffic from source ports to a destination port on the same switch. This is the most common SPAN use case — a Wireshark laptop is plugged into a spare port and configured as the SPAN destination:

NetsTuts_SW1>en
NetsTuts_SW1#conf t
Enter configuration commands, one per line.  End with CNTL/Z.

! ── Session 1: Mirror Server (Fa0/1) and PC1 (Fa0/2) to Fa0/10 ──
NetsTuts_SW1(config)#monitor session 1 source interface Fa0/1 both
NetsTuts_SW1(config)#monitor session 1 source interface Fa0/2 both
NetsTuts_SW1(config)#monitor session 1 destination interface Fa0/10

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr
Building configuration...
[OK]
NetsTuts_SW1#

The keyword both mirrors ingress (received) and egress (transmitted) frames on each source port. The destination port Fa0/10 automatically exits STP and stops carrying normal VLAN traffic — it becomes a pure mirror output. Any device connected to Fa0/10 that sends frames back into the switch will have those frames ignored by default (ingress is disabled on SPAN destination ports).

Mirror a Single Direction

! ── Mirror only traffic RECEIVED on Fa0/1 (rx = ingress) ─
NetsTuts_SW1(config)#monitor session 1 source interface Fa0/1 rx

! ── Mirror only traffic SENT to Fa0/1 (tx = egress) ──────
NetsTuts_SW1(config)#monitor session 1 source interface Fa0/1 tx

Filtering by direction halves the traffic volume at the destination port. Use rx to capture only what a client is sending to the network, or tx to capture only what the switch is delivering to the client. This is useful when the destination port's NIC cannot keep up with full bidirectional capture on a high-speed source.

Mirror an Entire VLAN

! ── Mirror all ports in VLAN 10 on SW1 to Fa0/10 ─────────
NetsTuts_SW1(config)#monitor session 2 source vlan 10 both
NetsTuts_SW1(config)#monitor session 2 destination interface Fa0/10

Using source vlan instead of source interface mirrors all ports currently assigned to VLAN 10 — you do not need to list each port individually. This also automatically includes any new ports added to VLAN 10 in the future. Session 2 is used here because session 1 is already configured above — a destination port can only be used by one session at a time, but this example reuses Fa0/10 for demonstration.

Enable Ingress on the Destination Port

! ── Allow the analyser PC to also send traffic (e.g. send ARP, replies)
NetsTuts_SW1(config)#monitor session 1 destination interface Fa0/10 ingress vlan 10

By default, the SPAN destination port drops all inbound frames — the analyser only receives. Adding ingress vlan [id] allows the analyser machine to also send traffic back into the switch in the specified VLAN. This is needed when the analyst wants to respond to packets (e.g. send a TCP RST) or when the monitoring host needs network access itself. Use with care — enabling ingress blurs the boundary between capture-only and active participation.

4. Step 2 — RSPAN Configuration (Remote SPAN)

RSPAN extends mirroring across switches. Configuration requires three parts: creating the RSPAN VLAN on every switch in the path, configuring the source switch to send mirrored traffic into that VLAN, and configuring the destination switch to pull mirrored traffic from the VLAN and deliver it to the local analyser port:

Step 2a — Create the RSPAN VLAN on Both Switches

! ── On BOTH NetsTuts_SW1 and NetsTuts_SW2 ────────────────
SW(config)#vlan 999
SW(config-vlan)#name RSPAN-MIRROR
SW(config-vlan)#remote-span
SW(config-vlan)#exit

The remote-span command marks VLAN 999 as an RSPAN VLAN. This has two effects: STP is automatically disabled for this VLAN (mirrored frames should not loop), and the VLAN is prevented from being assigned to access ports. VLAN 999 must be created and marked remote-span on every switch the RSPAN traffic traverses, including intermediate switches. Ensure VLAN 999 is allowed on the trunk between SW1 and SW2 — check with trunk port configuration.

Step 2b — Configure the Source Switch (SW1)

! ── On NetsTuts_SW1 — mirror Fa0/1 into RSPAN VLAN 999 ──
NetsTuts_SW1(config)#monitor session 1 source interface Fa0/1 both
NetsTuts_SW1(config)#monitor session 1 destination remote vlan 999

NetsTuts_SW1(config)#end
NetsTuts_SW1#wr

On the source switch, the destination is not a physical port but the RSPAN VLAN (destination remote vlan 999). The switch encapsulates the mirrored copies in VLAN 999 and floods them out the trunk toward SW2. No analyser is connected to SW1 in this scenario — the mirrored traffic travels entirely over the trunk to reach SW2.

Step 2c — Configure the Destination Switch (SW2)

! ── On NetsTuts_SW2 — pull from RSPAN VLAN 999 to Fa0/24 ─
NetsTuts_SW2(config)#monitor session 1 source remote vlan 999
NetsTuts_SW2(config)#monitor session 1 destination interface Fa0/24

NetsTuts_SW2(config)#end
NetsTuts_SW2#wr

On the destination switch, the source is the RSPAN VLAN (source remote vlan 999) and the destination is the local port where Wireshark Laptop B is connected. SW2 extracts mirrored frames from VLAN 999 arriving on the trunk and delivers them to Fa0/24. The Wireshark laptop sees all traffic that was mirrored from Fa0/1 on SW1.

RSPAN — Trunk VLAN Verification

! ── Verify VLAN 999 is allowed on the trunk ──────────────
NetsTuts_SW1#show interfaces Gi0/1 trunk
Port        Mode         Encapsulation  Status        Native vlan
Gi0/1       on           802.1q         trunking      1

Port        Vlans allowed on trunk
Gi0/1       1-4094

Port        Vlans allowed and active in management domain
Gi0/1       1,10,20,999

Port        Vlans in spanning tree forwarding state and not pruned
Gi0/1       1,10,20

Note VLAN 999 appears in "Vlans allowed and active" but is absent from "Vlans in spanning tree forwarding state" — this is correct and expected. RSPAN VLANs intentionally have STP disabled. If VLAN 999 does not appear in the active list, add it to the trunk with switchport trunk allowed vlan add 999 on both ends of the trunk link.

5. Step 3 — Multiple Sources and Filtering

Multiple Source Ports in One Session

! ── Mirror a range of ports ──────────────────────────────
NetsTuts_SW1(config)#monitor session 1 source interface Fa0/1 - 5 both

! ── Add individual ports to an existing session ──────────
NetsTuts_SW1(config)#monitor session 1 source interface Fa0/8 rx
NetsTuts_SW1(config)#monitor session 1 source interface Gi0/2 tx

A range is specified with a space-hyphen-space between the first and last port numbers. Multiple monitor session [n] source commands accumulate — each adds to the session rather than replacing the previous source. Each source can have its own direction: Fa0/8 is monitored for received traffic only while Gi0/2 is monitored for transmitted traffic only, all within session 1.

Remove a Source or Clear a Session

! ── Remove Fa0/2 from session 1 ──────────────────────────
NetsTuts_SW1(config)#no monitor session 1 source interface Fa0/2

! ── Remove the entire session ────────────────────────────
NetsTuts_SW1(config)#no monitor session 1

! ── Remove all SPAN sessions ─────────────────────────────
NetsTuts_SW1(config)#no monitor session all

Filter SPAN Traffic by VLAN (on Trunk Source)

! ── Mirror only VLAN 10 traffic from a trunk source port ─
NetsTuts_SW1(config)#monitor session 1 source interface Gi0/1 both
NetsTuts_SW1(config)#monitor session 1 filter vlan 10
NetsTuts_SW1(config)#monitor session 1 destination interface Fa0/10

When a trunk port is used as the source, it carries traffic from all VLANs. Adding filter vlan [id] restricts the mirrored copy to only the specified VLAN — the destination port receives a subset of the trunk traffic. This is useful for isolating one tenant's traffic on a shared trunk without capturing everything. The filter is applied per session and does not affect the trunk itself.

6. Verification

show monitor session 1

NetsTuts_SW1#show monitor session 1
Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Fa0/1,Fa0/2
Destination Ports      : Fa0/10
    Encapsulation      : Native
          Ingress      : Disabled

This output confirms session 1 is a local session. Both Fa0/1 and Fa0/2 are sourced in both directions. Fa0/10 is the destination. "Ingress: Disabled" means the analyser laptop on Fa0/10 cannot send traffic into the switch — capture-only mode. If ingress were enabled, the VLAN would be shown next to "Ingress."

show monitor session 1 — RSPAN Output (SW1)

NetsTuts_SW1#show monitor session 1
Session 1
---------
Type                   : Remote Source Session
Source Ports           :
    Both               : Fa0/1
Dest RSPAN VLAN        : 999

show monitor session 1 — RSPAN Output (SW2)

NetsTuts_SW2#show monitor session 1
Session 1
---------
Type                   : Remote Destination Session
Source RSPAN VLAN      : 999
Destination Ports      : Fa0/24
    Encapsulation      : Native
          Ingress      : Disabled

The session type on SW1 is "Remote Source Session" and on SW2 is "Remote Destination Session" — confirming the RSPAN is correctly split between the two switches. Source RSPAN VLAN on SW2 shows 999, matching the destination RSPAN VLAN on SW1.

show monitor — All Sessions

NetsTuts_SW1#show monitor
Session 1
---------
Type                   : Local Session
Source Ports           :
    Both               : Fa0/1,Fa0/2
Destination Ports      : Fa0/10
    Encapsulation      : Native
          Ingress      : Disabled

Session 2
---------
Type                   : Local Session
Source Ports           :
    RX Only            : Fa0/3
Destination Ports      : Fa0/10
    Encapsulation      : Native
          Ingress      : Disabled

Verification Command Summary

Command	What It Shows	Primary Use
`show monitor`	All active SPAN and RSPAN sessions — sources, destinations, direction, type	Full audit of all mirroring sessions on the switch
`show monitor session [n]`	Details of one session — source ports, destination, encapsulation, ingress state	Verify a specific session is configured correctly
`show vlan id 999`	RSPAN VLAN status — confirms "remote-span" flag is set	Verify RSPAN VLAN is correctly marked on both switches
`show interfaces [int] trunk`	VLANs allowed and active on trunk — confirm RSPAN VLAN is present	Verify RSPAN VLAN is carried across the trunk between source and destination switches
`show running-config \| section monitor`	All monitor session commands in the running config	Full configuration audit — confirm session commands were saved
`show vlan brief`	VLAN database — all VLANs with ports assigned	Confirm RSPAN VLAN exists and no access ports are assigned to it

7. Troubleshooting SPAN & RSPAN Issues

Problem	Symptom	Cause	Fix
Wireshark sees no traffic	SPAN session is configured but the analyser captures nothing	NIC is not in promiscuous mode; destination port is also configured as a source; wrong session number; session not saved	Enable promiscuous mode in Wireshark. Verify with `show monitor session [n]` — confirm source and destination are correct. Check `show running-config \| section monitor` and save with `wr`
SPAN destination port loses connectivity	A device connected to the SPAN destination port cannot send or receive normal traffic	Expected behaviour — SPAN destination ports exit STP and stop forwarding normal frames. They only forward mirrored copies	Move production devices off the destination port. If the analyser also needs network access, enable ingress: `monitor session [n] destination interface [port] ingress vlan [id]`
RSPAN — no traffic at destination switch	Wireshark on SW2 Fa0/24 sees nothing — session is configured correctly on both switches	RSPAN VLAN not allowed on trunk; RSPAN VLAN not marked `remote-span` on one switch; VLAN not active on both switches	Run `show interfaces Gi0/1 trunk` on both switches — confirm VLAN 999 is in "allowed and active." Run `show vlan id 999` — confirm "remote-span" flag. Add VLAN to trunk: `switchport trunk allowed vlan add 999`
Cannot configure second SPAN session	Error when adding a second `monitor session` — IOS rejects the command	Platform limit reached — Catalyst 2960 supports only 2 local SPAN sessions simultaneously	Remove an existing session with `no monitor session [n]` before creating a new one. Check platform datasheet for session limits
Mirrored traffic is missing VLAN tags	Wireshark shows untagged frames — expected 802.1Q tags are missing	Default SPAN encapsulation strips 802.1Q tags — "Native" encapsulation removes tags from mirrored copies	Use `monitor session [n] destination interface [port] encapsulation replicate` to preserve original 802.1Q tags in the mirrored copy. Useful when mirroring trunk ports and needing VLAN information in the capture
RSPAN VLAN assigned to access port	IOS rejects `switchport access vlan 999` with an error	Correct behaviour — RSPAN VLANs cannot be assigned to access ports. The `remote-span` flag prevents this	Use a different VLAN for access ports. Reserve the RSPAN VLAN exclusively for mirrored traffic — no normal hosts should ever connect to it

Key Points & Exam Tips

SPAN mirrors traffic from source ports to a destination port on the same switch. The destination port exits STP and stops carrying normal traffic — connect only an analyser (e.g. Wireshark).
Direction keywords: rx (ingress/received), tx (egress/transmitted), both (default — all traffic). Use direction filtering to reduce capture volume on high-speed links.
RSPAN extends mirroring across switches using a dedicated RSPAN VLAN (remote-span flag). The VLAN must be created and marked on every switch in the path, and must be allowed on all trunk links between them.
On the source switch, the RSPAN destination is a VLAN: destination remote vlan [id]. On the destination switch, the RSPAN source is the same VLAN: source remote vlan [id].
STP is automatically disabled on RSPAN VLANs — this is by design and correct. It will not appear in the STP forwarding state output.
By default, SPAN destination ports have ingress disabled — the analyser cannot send frames into the switch. Add ingress vlan [id] to the destination command if the monitoring host needs network access.
Use encapsulation replicate on the destination to preserve 802.1Q tags in the mirrored copy — needed when the source is a trunk port and VLAN information must be visible in the capture.
Use filter vlan [id] to restrict mirroring on a trunk source port to only the specified VLAN — reduces capture volume and isolates one VLAN's traffic.
show monitor session [n] is the primary verification command — check type (local vs remote), source ports, destination, and ingress state.
On the CCNA exam: know the difference between local SPAN and RSPAN, RSPAN VLAN requirements (remote-span on all switches, allowed on all trunks, no access ports), and the monitor session command syntax for source and destination.

Next Steps: With SPAN capturing live traffic, use Wireshark to analyse the packet stream. For monitoring control-plane events generated by switch activity, see Syslog Configuration. To mirror traffic from specific VLANs captured during this lab, review VLAN Creation & Management and Trunk Port Configuration. For flow-based traffic monitoring and statistics without packet capture, see NetFlow Configuration.

TEST WHAT YOU LEARNED

1. What happens to normal traffic forwarding on a port configured as a SPAN destination?

A. The port continues forwarding normal traffic AND receives mirrored copies — both streams are delivered to the analyser B. The port enters a half-duplex mode — it receives mirrored frames but can still transmit normal traffic outbound C. The port exits STP participation and stops forwarding normal traffic entirely — it only delivers mirrored copies. Any device connected to the destination port cannot send or receive production frames unless ingress is explicitly enabled D. Normal traffic is unaffected — the SPAN feature is implemented purely in software and does not change port state

Correct answer is C. A SPAN destination port is placed in a special monitoring state by the switch hardware. It exits STP, ceases participating in normal MAC learning for the destination VLAN, and stops forwarding frames from any connected device (ingress is disabled by default). The port becomes a unidirectional output pipe for mirrored copies only. This is why you cannot use a SPAN destination port for a production host — it will lose network connectivity. To allow the analyser to also send traffic, you must explicitly enable ingress with the ingress vlan [id] keyword on the destination command.

2. What is the purpose of the `remote-span` command applied to a VLAN in RSPAN?

A. It marks the VLAN as an RSPAN transport VLAN — STP is automatically disabled on it, access ports cannot be assigned to it, and the switch knows to use it for inter-switch mirroring. It must be applied on every switch in the RSPAN path B. It encrypts the mirrored traffic carried in the VLAN so it cannot be captured by intermediate switches C. It assigns the VLAN a higher STP priority so mirrored frames are never blocked by the spanning tree D. It enables the VLAN to carry both normal and mirrored traffic simultaneously on trunk ports

Correct answer is A. The remote-span command performs several actions simultaneously: it flags the VLAN in the VLAN database as an RSPAN transport VLAN, automatically disables STP for that VLAN (mirrored frames should not loop through the network), and prevents any access port from being assigned to it (no normal hosts can contaminate the mirror stream). This command must be issued in VLAN configuration mode on every switch that the RSPAN VLAN traverses — including intermediate switches between the source switch and the destination switch. Without it, the RSPAN session on the source switch will fail to configure properly.

3. An engineer configures RSPAN with source on SW1 and destination on SW2. The RSPAN VLAN is created and marked correctly on both switches. Wireshark on SW2 still sees no traffic. What is the most likely cause?

A. RSPAN is not supported on Cisco Catalyst switches — only SPAN is available B. The RSPAN VLAN cannot be VLAN 999 — only VLANs in the range 100–200 are valid for RSPAN C. The analyser on SW2 must be connected to the same port that the source traffic originated from on SW1 D. The RSPAN VLAN is not allowed on the trunk link between SW1 and SW2 — mirrored frames encapsulated in VLAN 999 are being pruned or filtered at the trunk. Add the RSPAN VLAN to the allowed list with switchport trunk allowed vlan add 999 on both ends

Correct answer is D. Even when the RSPAN VLAN is correctly created and marked remote-span on both switches, the mirrored traffic still needs to physically traverse the trunk between the switches. If VLAN 999 is not in the "allowed and active" list on the trunk, the frames will be discarded at the trunk boundary. Verify with show interfaces [trunk-int] trunk on both switches and look for VLAN 999 in the "Vlans allowed and active in management domain" section. RSPAN VLANs will not appear in the STP forwarding state output — this is normal and expected, not a problem.

4. What does `monitor session 1 source interface Fa0/1 rx` capture compared to `monitor session 1 source interface Fa0/1 both`?

A. rx and both are identical — rx is the shorthand for bidirectional mirroring on all Catalyst platforms B. rx captures only frames arriving at Fa0/1 (ingress — what the connected device is sending into the switch). both captures frames in both directions — received (rx) and transmitted (tx). Using rx halves the mirror volume and is useful when only client-originated traffic is needed C. rx captures encrypted traffic only — both also includes unencrypted frames D. rx mirrors the physical signal including layer 1 errors — both mirrors only valid Ethernet frames

Correct answer is B. The direction keywords control which side of the port is mirrored. rx (receive/ingress) mirrors only frames that arrive at the port from the connected device — useful for monitoring client behaviour. tx (transmit/egress) mirrors only frames the switch sends out to the connected device — useful for monitoring server responses or switch-generated traffic. both captures all frames in both directions and is the default when no direction is specified. Using rx or tx alone reduces the load on the destination port and the analyser — important when mirroring high-speed links where full bidirectional capture would exceed the destination port's bandwidth.

5. An engineer issues `monitor session 1 source vlan 10 both` instead of listing individual ports. What is the effect?

A. Only VLAN 10 tagged frames on trunk ports are mirrored — access ports in VLAN 10 are excluded B. The command fails — source vlan is only valid for RSPAN sessions, not local SPAN C. All ports currently assigned to VLAN 10 are mirrored as a group — including any new ports added to VLAN 10 in the future. This eliminates the need to update the SPAN session when VLAN membership changes D. All 4094 VLANs are mirrored — the VLAN number after source vlan is ignored by the switch hardware

Correct answer is C. Using source vlan [id] creates a VLAN-based SPAN source rather than a port-based source. The switch dynamically mirrors all ports that belong to the specified VLAN — you do not need to enumerate them individually. This is particularly useful in environments where VLAN membership changes frequently (e.g., dynamic VLAN assignment via 802.1X). The SPAN session automatically includes new ports as they join VLAN 10 and stops mirroring ports that leave VLAN 10. Note that source VLAN SPAN and source port SPAN cannot be mixed in the same session on most platforms.

6. Why does RSPAN disable STP on the RSPAN VLAN, and why is this safe?

A. STP is disabled to increase mirrored frame throughput — STP BPDUs consume bandwidth that should be reserved for mirrored copies B. STP is disabled because RSPAN VLANs use a proprietary encapsulation that STP cannot process C. STP is disabled to prevent the RSPAN VLAN from appearing in the VLAN database on intermediate switches D. Mirrored frames are copies — they have no network impact and do not represent real topology changes. STP is safe to disable because: no normal hosts use the RSPAN VLAN (access ports are blocked from joining it), the RSPAN VLAN is unidirectional by nature, and flooding mirrored copies does not create bridging loops since there is no return path for those frames

Correct answer is D. STP exists to prevent bridging loops caused by redundant paths between switches. In an RSPAN VLAN, there are no normal hosts and no legitimate return traffic — the frames flowing in the RSPAN VLAN are one-directional copies that will only be consumed by the analyser at the destination switch. A loop in an RSPAN VLAN would require a device to take a mirrored copy, retransmit it, have that retransmission mirrored again, and so on — which cannot happen because the destination port has ingress disabled and the RSPAN VLAN prevents access port assignment. The design constraints of RSPAN make STP redundant, so it is disabled to simplify forwarding and reduce overhead.

7. An engineer needs to capture mirrored traffic from a trunk port but only wants to see frames belonging to VLAN 20. Which command achieves this?

A. monitor session 1 filter vlan 20 — added after configuring the trunk port as the source. This restricts the mirrored copy to only VLAN 20 frames from the trunk, reducing capture volume at the destination port B. monitor session 1 source interface [trunk-port] vlan 20 — the VLAN filter is appended to the source command C. monitor session 1 destination interface [port] filter vlan 20 — filtering is applied at the destination, not the source D. SPAN cannot filter by VLAN on trunk sources — you must use RSPAN with the RSPAN VLAN set to 20 to achieve per-VLAN filtering

Correct answer is A. The monitor session [n] filter vlan [id] command is a separate line added to a session that already has a source configured. It tells the switch to only include frames from the specified VLAN in the mirrored copy — all other VLAN traffic on the trunk source is excluded. This is especially useful when a trunk carries dozens of VLANs but only one needs to be analysed. The filter is per-session and does not affect the trunk's actual forwarding behaviour. The syntax is not appended to the source or destination command — it is a standalone filter command for the session.

8. A Wireshark capture on a SPAN destination port shows untagged frames even though the source is a trunk carrying 802.1Q-tagged traffic. What configuration change preserves the VLAN tags in the capture?

A. Add switchport mode trunk to the SPAN destination port — configuring it as a trunk allows 802.1Q tags to pass through B. Replace the destination command with monitor session 1 destination interface [port] encapsulation replicate — this instructs the switch to preserve the original 802.1Q encapsulation in the mirrored copy rather than stripping it C. Configure the native VLAN on the destination port to match the source VLAN — this restores the tag in the mirrored frames D. 802.1Q tags are always stripped in SPAN — this cannot be changed. Use RSPAN instead, which preserves tags automatically

Correct answer is B. By default, SPAN uses "Native" encapsulation on the destination port — this strips 802.1Q tags from mirrored frames before delivering them to the analyser. To preserve the original encapsulation (including VLAN tags), add the encapsulation replicate keyword to the destination command. This causes the switch to deliver an exact copy of the frame including its 802.1Q header, allowing Wireshark to decode and display the VLAN ID. This is critical when mirroring trunk ports where VLAN identification is required for analysis. Note that this option is not available on all Catalyst platforms — check the platform datasheet.

9. On a Catalyst 2960, an engineer tries to add a third SPAN session. IOS returns an error. What is the most likely cause and fix?

A. The IOS version is too old — upgrade to 15.x to support up to 64 sessions B. Only session numbers 1 and 2 are valid — session 3 is reserved for system diagnostics C. The Catalyst 2960 supports a maximum of 2 simultaneous local SPAN sessions. Remove an existing session with no monitor session [n] before creating the new one. If more sessions are needed, use a higher-end platform such as the Catalyst 3750 D. SPAN sessions 1 and 2 are already using the only two destination ports available — a third destination port must be added before a third session can be created

Correct answer is C. Platform hardware resources limit the number of simultaneous SPAN sessions. The Catalyst 2960 supports a maximum of 2 local SPAN sessions at any time — this is a hardware limitation, not an IOS version restriction. If a third monitoring requirement arises, one of the existing sessions must be removed with no monitor session [n] before the new session can be configured. The Catalyst 3560 and 3750 support 2 local SPAN sessions plus up to 66 RSPAN sessions. Higher-end platforms (4500, 6500) support significantly more concurrent sessions. Always check the platform-specific datasheet for SPAN session limits.

10. Which of the following correctly describes the configuration required on both switches to implement RSPAN where SW1's Fa0/3 traffic is captured by Wireshark on SW2's Fa0/20, using VLAN 500?

! SW1 only:
vlan 500
 remote-span
monitor session 1 source interface Fa0/3 both
monitor session 1 destination interface Fa0/20

! SW1:
monitor session 1 source interface Fa0/3 both
monitor session 1 destination remote vlan 500
! SW2:
monitor session 1 source remote vlan 500
monitor session 1 destination interface Fa0/20
! (No VLAN config required — remote-span is automatic)

! SW1 and SW2:
vlan 500
 remote-span
monitor session 1 source interface Fa0/3 both
monitor session 1 destination interface Fa0/20

! SW1 and SW2:
vlan 500
 remote-span
! SW1:
monitor session 1 source interface Fa0/3 both
monitor session 1 destination remote vlan 500
! SW2:
monitor session 1 source remote vlan 500
monitor session 1 destination interface Fa0/20
! Plus: VLAN 500 must be allowed on the trunk between SW1 and SW2

Correct answer is D. RSPAN requires all four components to work together: (1) VLAN 500 must be created and marked remote-span on BOTH switches — not just one. (2) On SW1, the destination is the RSPAN VLAN (destination remote vlan 500), not a port. (3) On SW2, the source is the RSPAN VLAN (source remote vlan 500), not a port — and the destination is the local analyser port Fa0/20. (4) VLAN 500 must be allowed on the trunk between SW1 and SW2 — without this, the mirrored frames are discarded at the trunk boundary. Option A uses a local destination (Fa0/20 on SW1, not SW2). Option B omits the VLAN creation entirely. Option C uses identical commands on both switches instead of split source/destination roles.

Back to Home