CiscoCCNPEnterprise NetworkingIntermediate22 min read

What Is SPAN and RSPAN in Networking?

Also known as: SPAN, RSPAN, Cisco SPAN, port mirroring, CCNP ENCOR

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security
On This Page

Quick Definition

SPAN and RSPAN let you copy traffic from one part of a network to a special port where you can monitor it. Think of it like tapping a phone line legally to record calls without interrupting them. RSPAN does the same thing but across different switches in a network.

Must Know for Exams

SPAN and RSPAN are specific topics in the Cisco CCNP ENCOR (350-401) exam, which is a core exam for the CCNP Enterprise certification. The exam objectives include 'Monitoring and Troubleshooting' as a major domain, and within that, candidates must understand how to configure and verify SPAN and RSPAN. The exam expects you to know the differences between local SPAN, RSPAN, and ERSPAN, and when to use each.

For example, you might be asked to design a monitoring solution for a network that spans multiple switches and requires sending traffic to a central analyzer. You would need to choose RSPAN over local SPAN because the destination is on a different switch. The exam also tests configuration commands, such as using 'monitor session 1 source interface GigabitEthernet 0/1 both' and 'monitor session 1 destination interface GigabitEthernet 0/2'.

You need to know that the source can be an interface, a VLAN, or multiple interfaces. Additionally, you must understand the limitations, such as the number of SPAN sessions supported and the fact that SPAN traffic does not include Layer 2 control traffic like STP BPDUs. The exam may present scenario-based questions where you have to identify why a SPAN session is not working, perhaps because the destination port is already in use or because the RSPAN VLAN is not configured on an intermediate switch.

Understanding these details is critical for passing the exam. Moreover, SPAN and RSPAN concepts can appear in the context of security monitoring, as the exam also covers network security features like ACLs and firewall policies. You might be asked how to use SPAN to feed traffic into a Cisco Firepower or IOS-based IPS.

For the ENCOR exam, you should be prepared to answer multiple-choice questions, drag-and-drop questions about configuration steps, and simulation questions where you must configure a SPAN session on a virtual switch. Mastering SPAN and RSPAN not only helps you pass the exam but also builds a foundation for real-world network monitoring tasks.

Simple Meaning

Imagine you work in a large office building with many rooms, and each room has a conversation happening inside. You want to hear what is being said in one room, but you cannot stand outside that room all day. SPAN is like installing a hidden microphone in that room that sends the audio to a listening station in another room.

You can hear everything without disturbing the people talking. Now imagine you want to hear conversations happening in several rooms, and the listening station is in a completely different building. RSPAN works like a system of microphones that send audio from those rooms to a central listening station in another building, using a special cable that runs between the buildings.

In networking terms, SPAN copies packets from one switch port to another port on the same switch. RSPAN copies packets from ports on one switch to a port on a different switch. Network engineers use these features to monitor traffic for troubleshooting, security analysis, or performance measurement without interfering with the normal flow of data.

You can think of SPAN and RSPAN as non-intrusive observers that silently watch traffic and report back to a monitoring tool. They do not change or stop the traffic, just like a security camera recording a hallway does not stop people from walking. This makes them very useful for diagnosing problems, catching malicious activity, or understanding how the network is performing.

The key idea is that you get a copy of the traffic, not the original, so the network keeps running normally while you analyze the copy.

Full Technical Definition

SPAN, which stands for Switch Port Analyzer, is a Cisco proprietary feature that allows a network administrator to configure a switch to copy traffic from one or more source ports to a destination port for analysis by a monitoring device such as a packet sniffer or an intrusion detection system. The source ports can be individual ports, VLANs, or a combination of both. The destination port is typically connected to a device that captures and analyzes the copied traffic.

SPAN operates at Layer 2 and can copy both ingress traffic (traffic entering the source port) and egress traffic (traffic leaving the source port). Administrators can configure SPAN to copy only ingress traffic, only egress traffic, or both. The original traffic is forwarded normally to its intended destination; SPAN merely creates a copy for monitoring.

SPAN sessions do not affect the switch’s normal forwarding behavior, but they do consume additional switch resources because the switch must process and forward the copied traffic. Each switch supports a limited number of concurrent SPAN sessions, typically one or two depending on the platform. RSPAN, or Remote SPAN, extends this concept across multiple switches.

Instead of sending the copied traffic directly to a local destination port, RSPAN sends the traffic over a dedicated VLAN called an RSPAN VLAN that spans multiple switches. A source switch copies traffic from its source ports into the RSPAN VLAN. The RSPAN VLAN carries the copied traffic across the network to a destination switch, where a destination port extracts the traffic from the RSPAN VLAN and forwards it to a monitoring device.

RSPAN requires that all switches involved support the RSPAN feature and that the RSPAN VLAN is configured consistently across all devices. Intermediate switches treat the RSPAN VLAN like any other VLAN, forwarding the traffic based on MAC addresses, but they do not attempt to use the data for anything other than transport. Both SPAN and RSPAN can monitor multiple source ports simultaneously, but the combined bandwidth of all source ports should not exceed the bandwidth of the destination port to avoid packet drops.

Additionally, RSPAN introduces some latency because the traffic must be encapsulated and traversed across the network. For advanced monitoring, Cisco also offers ERSPAN (Encapsulated Remote SPAN), which tunnels the copied traffic over a Layer 3 network using GRE encapsulation, allowing monitoring across routed boundaries. ERSPAN is often used in data center and cloud environments where the source and destination are not in the same Layer 2 domain.

Understanding the differences between SPAN, RSPAN, and ERSPAN is critical for the CCNP ENCOR exam, as candidates must know when to use each and how to configure them properly.

Real-Life Example

Imagine you are a security guard at a large shopping mall. The mall has hundreds of stores, each with its own entrance and exit. Your job is to watch for suspicious activity, but you cannot be everywhere at once.

SPAN is like having a supervisor who can set up a special security camera that records everything happening at a specific store entrance and sends the video feed directly to your monitor in the security office. You can watch that feed in real time without affecting the shoppers entering or leaving the store. The camera does not block anyone or slow them down.

Now imagine the mall has two separate buildings connected by a walkway. There is a store in one building that you want to monitor, but your security office is in the other building. RSPAN is like installing a camera at that store and running a dedicated cable through the walkway to your office.

The video travels from the source building to your office through that cable. The walkway itself is like the RSPAN VLAN; it is a special path used only for the copied traffic. The camera at the store is the source port, the cable is the RSPAN VLAN, and your monitor is the destination port.

You can watch the store’s activity from your office just as if the camera were connected directly. In both cases, the stores continue operating normally because you are only watching a copy of the video, not interfering with the original. The mall manager can later review the recorded video to see if any theft occurred or if customers were having trouble finding an exit.

Similarly, network engineers use SPAN and RSPAN to capture traffic for later analysis or real-time monitoring without affecting network performance. The key is that the monitoring is passive, which means it does not add risk or slow down the network.

Why This Term Matters

SPAN and RSPAN are fundamental tools in network monitoring, troubleshooting, and security analysis. In real IT work, networks are complex and problems can be hard to diagnose without seeing the actual traffic. SPAN allows administrators to capture traffic from a specific port or VLAN and send it to a tool like Wireshark for deep packet inspection.

This is invaluable when users report slow performance, applications fail, or when you suspect a security breach. Instead of guessing what is happening, you can see the exact packets being sent and received. For cybersecurity, SPAN and RSPAN are often used to feed traffic into intrusion detection systems (IDS) or network-based antivirus solutions.

These systems analyze the copied traffic for signs of malware, unauthorized access, or data exfiltration. Without SPAN, you would have to place inline security devices that could become a bottleneck or point of failure. With SPAN, the monitoring is out of band, meaning it does not affect the live traffic path.

In enterprise networks, RSPAN is crucial when you need to aggregate traffic from multiple switches into a central monitoring station. For example, a company might have switches in different floors or different buildings. Using RSPAN, the network team can send copies of traffic from all these switches to a single security appliance located in a data center.

This centralizes monitoring and reduces the number of monitoring devices needed. Additionally, SPAN and RSPAN are used for network performance monitoring. Tools like NetFlow or sFlow often rely on SPAN to get a copy of the traffic for statistical analysis.

This helps in capacity planning, identifying bandwidth hogs, and ensuring quality of service (QoS) policies are working. In short, SPAN and RSPAN are essential for any network professional who needs to see what is happening on the wire without disrupting operations. Without these features, network troubleshooting would be much harder and more intrusive.

How It Appears in Exam Questions

In certification exams like CCNP ENCOR, SPAN and RSPAN appear in several types of questions. Scenario-based questions are common. For example, the question might describe a network with several switches and a network monitoring device connected to a specific port on the core switch.

The scenario says that users on a certain VLAN are experiencing issues, and you need to capture traffic from that VLAN. You must decide whether to configure a local SPAN session on the access switch or use RSPAN to send the traffic to the core switch where the monitoring device is connected. The correct answer would be to use RSPAN if the monitoring device is on a different switch.

Configuration questions ask you to identify the correct commands to set up a SPAN session. For instance, given a topology, you might need to select the command that configures a SPAN session copying both ingress and egress traffic from interface FastEthernet 0/1 to interface FastEthernet 0/24. The answer would be 'monitor session 1 source interface FastEthernet 0/1 both' followed by 'monitor session 1 destination interface FastEthernet 0/24'.

Troubleshooting questions present a scenario where a SPAN session is configured but no traffic is being captured. Possible causes include the destination port being configured with an IP address, the source port being a trunk port with VLAN filtering, or the destination port being in a different VLAN. You would need to identify the misconfiguration.

Architecture questions might ask about the impact of SPAN on switch resources or the bandwidth limitations. For example, a question could state that a switch has four gigabit source ports being monitored and a single gigabit destination port, and ask what will happen if the total traffic exceeds one gigabit. The answer is packet drops on the destination port.

Another question type focuses on the difference between SPAN and RSPAN, asking which technology is appropriate when the monitoring device is on a different switch. You might also see questions about ERSPAN, asking how it differs from RSPAN, specifically that ERSPAN uses GRE encapsulation to traverse Layer 3 networks. Understanding these patterns helps you prepare effectively for the exam.

Study encor

Test your understanding with exam-style practice questions.

Practise

Example Scenario

A medium-sized company has a network with two switches: Switch A on the first floor and Switch B on the second floor. The company uses a network monitoring tool running on a laptop connected to port 24 on Switch B. The IT manager suspects that a virus is spreading from a computer connected to port 5 on Switch A.

To investigate, she needs to capture all traffic entering and leaving that computer without interrupting the user. She decides to use RSPAN because the monitoring laptop is on a different switch. First, she creates an RSPAN VLAN on both switches, say VLAN 200.

On Switch A, she configures an RSPAN session that copies traffic from port 5 to VLAN 200. On Switch B, she configures an RSPAN session that takes traffic from VLAN 200 and sends it to port 24, where the laptop is connected. The laptop runs Wireshark and captures the packets.

She analyzes the traffic and finds the virus sending data to an external IP address. She then blocks that IP address on the firewall and disconnects the infected computer for cleanup. This scenario shows how RSPAN enables remote monitoring without needing to physically move the monitoring laptop or deploy additional hardware.

The network remained operational during the entire investigation. The IT manager also learned that RSPAN VLAN traffic is isolated from normal user traffic, so the monitoring did not interfere with any other applications. This example demonstrates the practical value of RSPAN in a real-world troubleshooting situation.

Common Mistakes

Thinking that SPAN and RSPAN can be used to monitor traffic on any port without any limitations.

SPAN and RSPAN have several limitations. For instance, they cannot monitor control plane traffic like routing protocol updates or STP BPDUs. Also, the combined bandwidth of source ports should not exceed the destination port bandwidth, or packets will be dropped.

Always check the platform documentation for SPAN limitations. Use SPAN only for user data traffic, and ensure the destination port has enough capacity to handle the aggregate traffic.

Configuring the destination SPAN port with an IP address or using it for normal traffic.

A SPAN destination port is a special port that should not have an IP address or participate in normal switching. If you assign an IP address, the switch may try to route traffic from that port, causing errors or preventing SPAN from working.

Leave the SPAN destination port as a Layer 2 access port without an IP address. It should be in shutdown state until the SPAN session is configured, then enable it only for monitoring.

Forgetting to configure the RSPAN VLAN on all intermediate switches between the source and destination.

If an intermediate switch does not have the RSPAN VLAN configured, it will not forward the RSPAN traffic, breaking the monitoring path. The RSPAN VLAN must be created and allowed on all trunk links that the traffic traverses.

Plan your RSPAN VLAN ahead and configure it on every switch in the path. Use 'vlan 100' and name it 'RSPAN' for clarity. Ensure trunk ports have the VLAN in their allowed list.

Believing that SPAN sessions automatically include all VLANs on a trunk port when monitoring a trunk.

By default, a SPAN session monitoring a trunk port monitors only the VLANs that are active and allowed on that trunk, but you can filter specific VLANs. However, if you do not specify any VLAN filter, it monitors all VLANs that are in the allowed list and active.

If you want to monitor specific VLANs on a trunk, use the 'monitor session 1 source interface GigabitEthernet 0/1 rx' and then add 'filter vlan 10,20'. Verify with 'show monitor session 1'.

Assuming that RSPAN and SPAN are interchangeable in all situations.

SPAN works only on the same switch. RSPAN is needed when the monitoring device is on a different switch. Using SPAN when the destination is remote will not work. Also, RSPAN requires a dedicated VLAN, which uses additional resources.

First determine the location of the monitoring device relative to the source ports. If it is on the same switch, use local SPAN. If it is on a different switch, use RSPAN. If it is across a router, consider ERSPAN.

Exam Trap — Don't Get Fooled

A question shows a SPAN session configured on a switch with a destination port that is also configured as a trunk carrying multiple VLANs. The question asks if traffic will be captured correctly. Remember that a SPAN destination port must be a Layer 2 access port, not a trunk port.

If the destination port is a trunk, the switch may not forward the captured traffic correctly, or the monitoring device may receive extra tags. Always configure the destination port as an access port in a dedicated VLAN (often VLAN 1 or a monitoring VLAN). Check the Cisco documentation for your specific switch model.

Commonly Confused With

SPAN and RSPANvsPort Mirroring

Port mirroring is a generic term used by many vendors for the same concept as SPAN. SPAN is Cisco's implementation. The difference is mainly terminology, but some vendors' port mirroring may have additional features or limitations.

If you use a Juniper switch, you would refer to 'port mirroring' instead of 'SPAN', but the idea is the same: copying traffic to another port.

SPAN and RSPANvsNetFlow

NetFlow is a feature that collects metadata about traffic flows, such as source and destination IPs, ports, and protocol, instead of copying the actual packets. SPAN copies the full packets. NetFlow is less resource-intensive but does not allow deep packet inspection.

Using SPAN is like recording a whole movie. Using NetFlow is like writing down the title, the actors, and the runtime. Both tell you something about the movie, but one gives you the full content.

SPAN and RSPANvsTraffic Shaping

Traffic shaping is an active technique that delays or drops packets to enforce bandwidth limits. SPAN is passive and does not modify traffic. Shaping changes traffic flow while SPAN only observes it.

SPAN is like a speed camera that records car speeds. Traffic shaping is like a traffic light that slows down cars to keep traffic flowing smoothly.

SPAN and RSPANvsTAP (Test Access Point)

A TAP is a physical device inserted inline between two network devices to copy traffic. SPAN is a software feature on a switch. TAPs are more reliable for high-speed monitoring because they do not drop packets under load, but they require physical installation.

SPAN is like a software recording app on your phone. A TAP is like a hardware splitter cable that sends a copy of the signal to a recorder without any software involvement.

Step-by-Step Breakdown

1

Identify the monitoring goal

Determine what traffic you need to monitor and why. For example, you might want to capture all traffic from a specific user's computer to troubleshoot a slow application. This step helps you decide on the source ports and the monitoring device's location.

2

Choose local SPAN or RSPAN

If the monitoring device is connected to the same switch as the source traffic, use local SPAN. If the monitoring device is on a different switch, you need RSPAN. If the device is across a router, consider ERSPAN. This choice determines the configuration approach.

3

Configure the source ports

On the source switch, use the command 'monitor session 1 source interface <interface> <rx|tx|both>' to specify which ports to monitor. You can also specify a VLAN as the source. The keyword 'both' copies ingress and egress traffic.

4

Configure the destination port (local SPAN) or RSPAN VLAN (RSPAN)

For local SPAN, use 'monitor session 1 destination interface <interface>' to send the copied traffic to a specific port. Ensure that port is in access mode and has no IP address. For RSPAN, create a VLAN dedicated to RSPAN using 'vlan <vlan-id>' and name it, then configure the session to use that VLAN as the destination.

5

Configure RSPAN on the destination switch

On the switch where the monitoring device is connected, create the same RSPAN VLAN. Then configure a session that sources traffic from that RSPAN VLAN and destinations it to the port connected to the monitoring device. Use 'monitor session 1 source remote vlan <vlan-id>' and 'monitor session 1 destination interface <interface>'.

6

Verify the configuration

Use 'show monitor session 1' on both switches to confirm the session is active. Check that the source and destination are correct and that no errors are reported. Also verify that the RSPAN VLAN is present on intermediate switches and trunk links.

Practical Mini-Lesson

In practice, SPAN and RSPAN are often used by network engineers during incident response or routine maintenance. The first step is always to know exactly which traffic you need to see. If you are troubleshooting a specific user's complaint, you might monitor their switch port.

If the issue affects an entire department, you might monitor the VLAN that serves them. Once you know the source, you need to decide where to send the copy. Many organizations have a dedicated monitoring server with multiple network interfaces, each connected to a switch port reserved for SPAN.

That server runs software like Wireshark, tcpdump, or commercial analyzers such as SolarWinds or PRTG. When configuring SPAN, always consider the bandwidth. If you monitor four 1 Gbps ports, the destination port must also be 1 Gbps or faster, but if the total incoming traffic exceeds 1 Gbps, the destination port will drop packets.

In such cases, you might monitor only ingress traffic or use a higher-speed destination port, although 10 Gbps ports are common in data centers. Another practical point is that SPAN sessions can interfere with each other if you create too many. Cisco switches typically support 1 or 2 SPAN sessions simultaneously, though some models support more.

Always check your platform. For RSPAN, you must also ensure that the RSPAN VLAN is not used for regular user traffic. A common mistake is to reuse an existing VLAN for RSPAN, which can cause broadcast storms or monitoring loops.

Create a separate VLAN, usually with a high number like 999, and name it clearly. Also, be aware that RSPAN traffic traverses the network just like normal traffic, so it consumes bandwidth on trunk links. In busy networks, RSPAN can add load to inter-switch links, potentially affecting performance.

Some engineers mitigate this by using a dedicated monitoring network or by limiting the source ports to only critical traffic. Finally, always document your SPAN and RSPAN configurations. When troubleshooting later, you may need to know which sessions are active and why.

Use 'show monitor session all' to view all sessions. If you need to remove a session, use 'no monitor session <session-id>'. Understanding these practical aspects will make you more effective in your job and better prepared for the exam.

Memory Tip

Remember: SPAN is Same switch, RSPAN is Remote switch. Both copy traffic without touching the original. Think 'SPAN' for 'Same Port Analyzer', and 'R' for 'Remote'.

Covered in These Exams

Related Glossary Terms

Frequently Asked Questions

What is the difference between SPAN and port mirroring?

SPAN is Cisco's implementation of port mirroring. Other vendors use the term port mirroring, but the concept is identical: copying traffic from one or more ports to another port for monitoring.

Can I monitor a VLAN with SPAN?

Yes, you can configure a SPAN session with a VLAN as the source. All traffic in that VLAN will be copied to the destination port. Use the command 'monitor session 1 source vlan 100 both' to monitor VLAN 100.

Does SPAN affect network performance?

SPAN itself does not affect normal traffic forwarding, but it does consume switch resources because the switch must copy and forward the traffic to the destination port. If you monitor many high-bandwidth ports, the switch CPU or backplane may become overloaded, potentially impacting performance.

What is ERSPAN and how is it different from RSPAN?

ERSPAN (Encapsulated Remote SPAN) uses GRE encapsulation to tunnel copied traffic over Layer 3 networks. RSPAN works only within Layer 2 domains. ERSPAN is used when the monitoring device is on a different IP subnet or across a router.

How many SPAN sessions can I configure on a Cisco switch?

The number of SPAN sessions depends on the switch model. Most Catalyst 2960 and 3560 series support one SPAN session, while higher-end models like the 3850 support up to two. Always check the specific platform documentation.

Can I use a trunk port as a SPAN destination?

No, a SPAN destination port should be a Layer 2 access port. Using a trunk port can cause the monitoring device to receive untagged or double-tagged frames, leading to confusion. Configure the destination port in access mode.

What happens if the SPAN destination port becomes oversubscribed?

If the combined traffic from all source ports exceeds the bandwidth of the destination port, packets are dropped on the destination port. The original traffic is not affected. This is why you should monitor sources that have a total bandwidth less than or equal to the destination port speed.

Summary

SPAN and RSPAN are essential tools for network monitoring and troubleshooting, allowing IT professionals to capture copies of network traffic without disrupting normal operations. SPAN works on a single switch, while RSPAN extends this capability across multiple switches using a dedicated VLAN. These features are widely used in enterprise networks for security analysis, performance monitoring, and incident response.

In the context of the CCNP ENCOR exam, understanding the configuration, limitations, and differences between SPAN, RSPAN, and ERSPAN is critical. You can expect scenario-based and configuration questions that test your ability to choose the right tool and configure it correctly. Key takeaways include knowing that SPAN destination ports must be access ports, that RSPAN requires a separate VLAN on all intermediate switches, and that bandwidth limitations can cause packet drops.

Mastering SPAN and RSPAN will not only help you pass the exam but also equip you with practical skills for real-world network management. Remember to always verify your configuration with show commands and document your sessions for future reference.