CCNA SPAN, RSPAN, and ERSPAN Questions

75 of 76 questions · Page 1/2 · SPAN, RSPAN, and ERSPAN · Answers revealed

1
MCQmedium

What is missing from this RSPAN configuration on a switch? monitor session 1 source interface GigabitEthernet1/0/1 both monitor session 1 destination remote vlan 100 Assume VLAN 100 exists but is not configured as an RSPAN VLAN.

A.The 'remote-span' command under VLAN 100.
B.An IP address on the destination interface.
C.A destination interface on the source switch.
D.The 'no shutdown' command on VLAN 100.
AnswerA

This is required to designate the VLAN as an RSPAN VLAN.

Why this answer

For RSPAN to work, the VLAN used as the destination remote VLAN must be configured with the 'remote-span' command. Without it, the session will not function correctly.

2
Drag & Dropmedium

Drag and drop the steps to verify and validate SPAN, RSPAN, and ERSPAN operational state into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, use show monitor session all to list all sessions. Then, inspect the specific session details with show monitor session <id>. Next, check the RSPAN VLAN status if using RSPAN.

After that, verify ERSPAN packet capture at the destination. Finally, confirm that the mirrored traffic matches expected patterns.

3
MCQhard

What is the maximum number of ERSPAN sessions that can be configured on a Cisco IOS-XE router?

A.4
B.8
C.24
D.64
AnswerC

Many Cisco IOS-XE routers support up to 24 ERSPAN sessions.

Why this answer

The maximum number of ERSPAN sessions is platform-dependent, but typically up to 24 sessions on high-end routers like ASR1000 series. This is a hardware/software limitation.

4
MCQhard

An engineer configures an RSPAN session on a Cisco switch to monitor traffic from VLAN 30 and send it to a remote switch. The engineer creates RSPAN VLAN 200 on both switches and configures the trunk to allow VLAN 200. On the remote switch, the engineer configures the destination port as GigabitEthernet0/4 in VLAN 200. The engineer notices that the destination port is forwarding traffic, but the traffic is not from the source VLAN 30; instead, it is broadcast traffic from other VLANs. What is the most likely cause?

A.The RSPAN VLAN is also being used for other VLAN traffic due to misconfiguration.
B.The source VLAN is not configured correctly on the source switch.
C.The destination port is in the wrong VLAN.
D.The trunk is not pruning VLAN 200 correctly.
AnswerA

Correct because the RSPAN VLAN should be a dedicated VLAN; if it is also used as a native VLAN or for other traffic, it will carry unwanted broadcasts.

Why this answer

RSPAN VLANs should be used exclusively for RSPAN traffic and should not have any other VLANs mapped to them. If the RSPAN VLAN is also used for other purposes, it may carry unintended traffic.

5
MCQhard

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show monitor session 6 detail Session 6 --------- Type : ERSPAN Source Session Source VLANs : Both : 10-20 Destination IP : 10.1.1.3 ERSPAN ID : 200 What does this output indicate?

A.The session is correctly configured to monitor VLANs 10 through 20.
B.The session is misconfigured because ERSPAN cannot use VLANs as source.
C.The session is misconfigured because the ERSPAN ID must be less than 100.
D.The session is misconfigured because the destination IP must be on the same subnet.
AnswerA

ERSPAN can use VLANs as the source for monitoring.

Why this answer

The output shows an ERSPAN source session with source VLANs 10-20, destination IP 10.1.1.3, and ERSPAN ID 200. This is a valid ERSPAN source session using VLANs as the source.

6
MCQeasy

What is the default behavior of a local SPAN session if no direction (rx, tx, both) is specified?

A.Only ingress traffic is monitored.
B.Only egress traffic is monitored.
C.Both ingress and egress traffic are monitored.
D.No traffic is monitored until direction is explicitly set.
AnswerC

This is the default behavior.

Why this answer

If no direction is specified, the default is to monitor both ingress and egress traffic on the source interface.

7
MCQmedium

Which statement about RSPAN source session is correct?

A.The RSPAN source session can send mirrored traffic to multiple RSPAN VLANs simultaneously.
B.The RSPAN source session can monitor both a VLAN and individual ports at the same time.
C.The RSPAN source session must specify a destination RSPAN VLAN.
D.The RSPAN source session can use a physical interface as a destination instead of a VLAN.
AnswerC

The destination for an RSPAN source session is always an RSPAN VLAN, which must be configured with 'remote-span'.

Why this answer

An RSPAN source session mirrors traffic from source ports to an RSPAN VLAN. The source session can monitor a single VLAN or a set of ports, but not both in the same session. The destination is always the RSPAN VLAN.

8
MCQmedium

Which of the following is a limitation of local SPAN on a Cisco switch?

A.It can only monitor one source interface per session.
B.The destination port must be in the same VLAN as the source.
C.It cannot mirror traffic to a remote switch.
D.It cannot monitor both ingress and egress traffic simultaneously.
AnswerC

Local SPAN is confined to the local switch.

Why this answer

Local SPAN can only mirror traffic to a destination port on the same switch; it cannot send mirrored traffic across the network without additional configuration like RSPAN or ERSPAN.

9
MCQhard

Router R1 is configured as an ERSPAN source to monitor traffic on interface GigabitEthernet0/0/0. The destination is a collector at 10.10.10.10. R1's configuration: monitor session 1 type erspan-source source interface Gi0/0/0 both destination erspan-id 3 ip address 10.10.10.10 origin ip address 192.168.1.1. The router has an ACL applied to the interface Gi0/0/0 that denies all IP traffic from source 192.168.1.1. The collector receives no packets. What is the root cause?

A.The ACL on Gi0/0/0 blocks the original traffic, so there is no traffic to mirror.
B.The ACL on Gi0/0/0 blocks the encapsulated ERSPAN packets because the source IP 192.168.1.1 is denied.
C.The ERSPAN session is missing the 'no shutdown' command.
D.The destination IP 10.10.10.10 is not reachable.
AnswerB

If the encapsulated packets are sent out Gi0/0/0, the ACL will block them because the source IP is 192.168.1.1, which is denied.

Why this answer

ERSPAN encapsulates the mirrored packets with a new IP header that has the source IP address specified in the 'origin ip address' command. The encapsulated packet is then sent out of the router using the routing table. However, the ACL on the source interface Gi0/0/0 is applied to the original traffic entering the interface, not to the encapsulated packets.

The encapsulated packets are generated by the router and are not subject to the ACL on the source interface. The ACL would affect the original traffic being mirrored, but the symptom is that the collector receives no packets. The correct root cause is that the ACL is blocking the original traffic, so there is nothing to mirror.

But the scenario says the collector receives no packets, meaning the mirrored packets are not being sent. The more likely issue is that the ACL is applied to the outgoing direction on the interface that sends the encapsulated packets, but the scenario says the ACL is applied to Gi0/0/0, which is the source interface. The encapsulated packets are sent out of a different interface (the one that has the route to the collector).

The ACL on Gi0/0/0 does not affect the encapsulated packets. However, if the router uses the same interface to send the encapsulated packets, the ACL might block them. The correct answer is that the ACL is applied to the source interface and may block the encapsulated packets if they are sent out that interface.

10
MCQhard

What is the maximum number of source ports that can be monitored in a single SPAN session on a typical Cisco Catalyst switch?

A.16
B.32
C.64
D.128
AnswerC

Up to 64 source ports can be included in a single SPAN session, though hardware-dependent.

Why this answer

A single SPAN session can monitor up to 64 source ports (or source VLANs, but not both in the same session). This is a hardware limitation on most Catalyst switches.

11
Multi-Selecthard

Which TWO statements about RSPAN configuration and operation are correct? (Choose TWO.)

Select 2 answers
A.The RSPAN VLAN must be configured as a standard VLAN and allowed on all trunk links between the source and destination switches.
B.The source session on the source switch must specify 'remote vlan <vlan-id>' to identify the RSPAN VLAN.
C.The RSPAN VLAN can be used for normal data traffic as long as it is not the native VLAN.
D.The destination session on the remote switch uses 'monitor session <session> source remote vlan <vlan-id>' and 'destination interface <interface>'.
E.Intermediate switches that only pass the RSPAN VLAN must have a monitor session configured to forward the traffic.
AnswersA, B

Correct. The RSPAN VLAN must be created and allowed on all trunks in the path to ensure the mirrored frames traverse the network.

Why this answer

RSPAN uses a dedicated VLAN to carry mirrored traffic between switches. The RSPAN VLAN must be created and configured on all intermediate switches, and the source and destination switches must have the RSPAN VLAN in the allowed list on trunk ports. The destination session reflects traffic from the RSPAN VLAN to a local monitor port.

12
Multi-Selecthard

Which TWO statements about verifying SPAN, RSPAN, and ERSPAN sessions are correct? (Choose TWO.)

Select 2 answers
A.The command 'show monitor session all' displays a summary of all configured SPAN, RSPAN, and ERSPAN sessions.
B.The command 'show monitor session <session> detail' displays the operational status and any errors for that session.
C.The command 'show monitor session <session> type erspan-source' is used to verify ERSPAN source sessions.
D.The command 'show spanning-tree vlan <rspan-vlan>' can confirm that the RSPAN VLAN is correctly configured and forwarding.
E.The command 'show monitor session <session> statistics' provides packet counts for mirrored traffic.
AnswersA, B

Correct. 'show monitor session all' lists all sessions with their status, source, and destination.

Why this answer

Verification commands include 'show monitor session <session>' for detailed status, 'show monitor' for a summary, and 'show monitor session <session> detail' for more granular info. For ERSPAN, 'show monitor session <session> type erspan-source' can be used. The 'show spanning-tree' command is unrelated.

13
MCQhard

An engineer configures SPAN on a Cisco switch to monitor both ingress and egress traffic on a trunk port. The monitor session shows only egress traffic, not ingress. What is the most likely explanation?

A.The trunk port is configured with 'switchport trunk allowed vlan' that excludes the VLANs carrying the ingress traffic.
B.The SPAN session is configured with 'monitor session 1 source interface gigabitethernet0/1 rx', missing the 'tx' keyword.
C.The switch has 'spanning-tree portfast' enabled on the trunk, disabling ingress monitoring.
D.The SPAN destination port is in the same VLAN as the ingress traffic, causing a loop.
AnswerA

SPAN only captures traffic on VLANs that are allowed on the trunk; pruned VLANs are not monitored.

Why this answer

When monitoring a trunk port with SPAN, the source can be specified as both ingress and egress. However, if the trunk port is configured with 'switchport trunk allowed vlan' to prune certain VLANs, ingress traffic on pruned VLANs is not forwarded to the SPAN destination. Additionally, SPAN may not capture ingress traffic on the native VLAN if the native VLAN is not explicitly included.

14
MCQmedium

A network engineer configured the following: monitor session 3 type erspan-source source interface GigabitEthernet0/0/2 rx destination erspan-id 2 ip address 10.0.0.2 origin ip address 10.0.0.1 What traffic will be mirrored?

A.Only traffic received on GigabitEthernet0/0/2.
B.Only traffic transmitted on GigabitEthernet0/0/2.
C.Both received and transmitted traffic on GigabitEthernet0/0/2.
D.All traffic on the router, regardless of interface.
AnswerA

The 'rx' keyword specifies receive-only.

Why this answer

The 'rx' keyword indicates that only ingress (received) traffic on GigabitEthernet0/0/2 will be mirrored.

15
MCQhard

A switch is configured with SPAN to monitor traffic on interface Gi0/0/0 to a local analyzer on interface Gi0/1. The configuration: monitor session 1 source interface Gi0/0/0 both monitor session 1 destination interface Gi0/1. The analyzer sees only half of the traffic (only incoming or outgoing). The switch also has an EtherChannel configured on Gi0/0/0 as part of a port-channel. The port-channel is up/up. What is the root cause?

A.The SPAN source is a physical interface that is part of an EtherChannel; SPAN should be configured on the port-channel interface instead.
B.The destination interface Gi0/1 is not in the same VLAN as the source.
C.The monitor session is missing the 'no shutdown' command.
D.The EtherChannel load-balancing algorithm causes some traffic to be missed.
AnswerA

SPAN on a physical member of an EtherChannel only monitors that link, not the entire bundle.

Why this answer

When a source interface is part of an EtherChannel, SPAN must be configured on the port-channel interface, not on the individual physical interface. If SPAN is configured on a physical interface that is part of a port-channel, the switch may only monitor traffic on that specific physical link, not the entire EtherChannel. This can result in only a portion of the traffic being mirrored.

The fix is to use the port-channel interface as the source.

16
MCQhard

An engineer configures ERSPAN on a Cisco router to monitor traffic from a VRF. The mirrored traffic reaches the collector, but the source IP address in the ERSPAN header is the router's loopback, not the expected interface IP. What is the most likely cause?

A.The ERSPAN session does not specify a source IP address, so the router uses the loopback as the best source for the destination.
B.The VRF has a default route pointing to the loopback, forcing all traffic to use that IP.
C.The ERSPAN session is configured with 'erspan-id' that overrides the source IP.
D.The collector expects the loopback IP for filtering, so the router automatically uses it.
AnswerA

Without an explicit source IP, the router uses the routing table to pick the source, often the loopback.

Why this answer

When configuring ERSPAN with a source interface in a VRF, the ERSPAN session uses the VRF's routing table to determine the source IP. If the 'ip address' of the source interface is not used, the router may use the loopback if it is the preferred source for the destination. The 'monitor session' command allows specifying the source IP explicitly; otherwise, the router selects based on routing.

17
MCQmedium

Given the configuration: monitor session 2 source vlan 10-12 both monitor session 2 destination interface GigabitEthernet1/0/3 Which statement is true?

A.Traffic from all ports in VLANs 10, 11, and 12 is copied to GigabitEthernet1/0/3.
B.Only traffic from the access ports in VLAN 10 is copied.
C.The destination port must be in VLAN 10.
D.The destination port will become a SPAN destination and cannot be used for normal traffic.
AnswerA

VLAN SPAN monitors all ports in the specified VLANs.

Why this answer

This configures a VLAN-based SPAN session that monitors all traffic on VLANs 10, 11, and 12 and sends a copy to GigabitEthernet1/0/3.

18
MCQmedium

A network engineer runs the following command on switch SW2: SW2# show monitor session 2 Session 2 --------- Type : Remote Source Session Source Ports : Both : Gi0/4 Source VLANs : RX Only : 100 Destination Ports : Gi0/5 Encapsulation : Native Ingress : Disabled Based on this output, which statement is correct?

A.The session is an RSPAN source session, and the mirrored traffic is sent to Gi0/5.
B.The session is an ERSPAN source session because it monitors VLAN 100.
C.The session is a local SPAN session with source VLAN.
D.The session is misconfigured because source VLANs cannot be combined with source ports.
AnswerA

The type 'Remote Source Session' indicates RSPAN source, and the destination port Gi0/5 receives the mirrored traffic.

Why this answer

This is a remote source session (RSPAN source session). It monitors source port Gi0/4 and source VLAN 100 (RX only), and sends the mirrored traffic to destination port Gi0/5, which is typically configured as a trunk port carrying the RSPAN VLAN. The session is correctly configured for RSPAN.

19
MCQmedium

Examine the RSPAN configuration: vlan 100 name RSPAN_VLAN remote-span ! monitor session 1 source interface GigabitEthernet1/0/1 both monitor session 1 destination remote vlan 100 What is the purpose of the 'remote-span' command under VLAN 100?

A.It allows VLAN 100 to be used for RSPAN traffic across multiple switches.
B.It enables spanning tree on VLAN 100.
C.It prevents VLAN 100 from being used for user data traffic.
D.It configures VLAN 100 as a native VLAN.
AnswerA, C

This is the standard function of remote-span.

Why this answer

The 'remote-span' command designates VLAN 100 as an RSPAN VLAN, allowing it to carry mirrored traffic across switches without being used for normal data traffic.

20
MCQhard

A network engineer configures an RSPAN session on Switch A to monitor traffic from interface GigabitEthernet0/1 and sends it to Switch B. The engineer creates RSPAN VLAN 50 on both switches and configures the trunk between them to allow VLAN 50. On Switch B, the engineer configures the destination port as GigabitEthernet0/2 in VLAN 50. The engineer notices that the destination port is not forwarding any traffic. What should the engineer check first?

A.Verify that the RSPAN VLAN is configured with the 'remote-span' command on both switches.
B.Check that the destination port is not in a shutdown state.
C.Ensure that the source interface is not configured with 'no monitor session'.
D.Confirm that the trunk between switches is configured as a dot1q trunk.
AnswerA

Correct because the 'remote-span' command is essential to designate the VLAN as an RSPAN VLAN; without it, the VLAN behaves as a normal VLAN.

Why this answer

RSPAN requires that the RSPAN VLAN be configured with the 'remote-span' command on all switches that participate. Without this, the VLAN may not be treated as an RSPAN VLAN and traffic may not be forwarded correctly.

21
MCQmedium

Which statement about RSPAN VLAN is correct?

A.The RSPAN VLAN must be the same as the native VLAN on the trunk.
B.The RSPAN VLAN can be used for normal user traffic if needed.
C.The RSPAN VLAN must be configured with the 'remote-span' command on all switches in the network.
D.The RSPAN VLAN must be pruned from all trunk links to avoid unnecessary flooding.
AnswerC

The 'remote-span' command is required on the VLAN to prevent it from being used for normal traffic and to allow it to be flooded across the network.

Why this answer

An RSPAN VLAN is a dedicated VLAN used to carry mirrored traffic from source switches to a destination switch. It must be configured as a remote-span VLAN, and no end devices should be connected to it.

22
MCQhard

Router R1 is configured as an ERSPAN source to monitor traffic on interface Tunnel0 (a DMVPN tunnel). The destination is a collector at 172.16.0.100. R1's configuration: monitor session 1 type erspan-source source interface Tunnel0 both destination erspan-id 4 ip address 172.16.0.100 origin ip address 10.0.0.1. The collector receives no packets. The Tunnel0 interface is up/up and has an IP of 10.0.0.1/30. The tunnel destination is 192.168.1.1. The router has a route to 172.16.0.100 via 10.0.0.2. What is the root cause?

A.The ERSPAN source interface is a tunnel, which is not supported for ERSPAN.
B.The ERSPAN destination IP is routed via the tunnel interface, causing the encapsulated packets to be sent into the tunnel and double-encapsulated, leading to drop.
C.The tunnel interface is not in the same VRF as the collector.
D.The ERSPAN session ID 4 conflicts with the tunnel key.
AnswerB

The route to 172.16.0.100 via 10.0.0.2 points to the tunnel peer, so the encapsulated packets enter the tunnel, causing recursion.

Why this answer

ERSPAN monitors traffic on the source interface. When the source is a tunnel interface, the mirrored traffic is the original IP packets before encapsulation. The ERSPAN process then encapsulates these packets with a new IP header.

However, the encapsulated packets are sent using the routing table. If the destination IP is reachable via a route that points to the tunnel interface itself (e.g., via 10.0.0.2, which is the tunnel's peer), the encapsulated packets may be sent into the tunnel, causing them to be encapsulated again. This double encapsulation can cause issues.

But the more likely root cause is that the ERSPAN session is configured to monitor the tunnel interface, but the tunnel interface itself may not be able to generate the encapsulated packets correctly because the tunnel is used for the destination. The correct answer is that the ERSPAN source IP is the same as the tunnel interface IP, and the destination is routed via the tunnel, causing a recursive routing loop similar to the first question.

23
MCQmedium

An engineer configures a local SPAN session on a Cisco switch to monitor all traffic on VLAN 20. The engineer uses the command 'monitor session 1 source vlan 20' and 'monitor session 1 destination interface GigabitEthernet0/3'. The engineer connects a laptop to GigabitEthernet0/3 and runs a packet capture, but sees only traffic from the switch itself, not from other devices in VLAN 20. What is the most likely cause?

A.The SPAN session is configured to monitor only ingress traffic by default.
B.The destination port is in a different VLAN than the source VLAN.
C.The switch does not support SPAN on VLANs.
D.The laptop is not configured to accept tagged traffic.
AnswerA

Correct because the default direction for a SPAN source VLAN is 'rx' (received traffic); to capture all traffic, the engineer must add 'both' or 'tx'.

Why this answer

By default, SPAN monitors only ingress traffic on the source VLAN. To capture both directions, the command must specify 'both' for the source. The default is 'rx' only.

24
Multi-Selecthard

Which TWO statements about the configuration of an ERSPAN destination session are correct? (Choose TWO.)

Select 2 answers
A.The destination session must be configured with 'monitor session <session> type erspan-destination'.
B.The source of the destination session must specify the 'erspan-id' and the source IP address of the ERSPAN tunnel.
C.The destination session can have multiple destination interfaces to send the decapsulated traffic to multiple analyzers.
D.The destination session automatically creates a GRE tunnel interface that appears in 'show ip interface brief'.
E.The destination session must be in the same VRF as the source session's destination IP to ensure reachability.
AnswersA, B

Correct. The 'type erspan-destination' keyword is required to define the session as an ERSPAN destination.

Why this answer

The ERSPAN destination session decapsulates GRE-encapsulated traffic and sends it to a local port. It must be configured with 'type erspan-destination', the source must specify the ERSPAN ID and the source IP address (the same as the destination IP of the source session), and the destination is a local interface. The session must be in the same VRF as the incoming ERSPAN traffic.

25
MCQhard

An engineer configures ERSPAN on a Cisco router to send mirrored traffic to a remote collector via IP. The collector receives the ERSPAN packets, but the payload appears truncated or malformed. What is the most likely cause?

A.The ERSPAN GRE encapsulation adds overhead exceeding the path MTU, causing fragmentation or drop.
B.The collector is not configured to reassemble IP fragments.
C.The ERSPAN session is configured with the wrong source interface, causing incorrect IP headers.
D.The router has IPsec configured on the egress interface, encrypting the ERSPAN packets.
AnswerA

ERSPAN adds 50 bytes of overhead; if the original packet is near MTU, the encapsulated packet exceeds it, leading to fragmentation or loss.

Why this answer

ERSPAN encapsulates mirrored packets in GRE with an additional ERSPAN header. The MTU of the path between the source and collector must accommodate the extra overhead (typically 50 bytes for GRE + ERSPAN). If the path MTU is too small, packets are fragmented or dropped, causing truncation.

26
MCQhard

A network engineer is troubleshooting an ERSPAN configuration where traffic from a source router is being sent to a remote monitoring server. The engineer configures an ERSPAN source session on Router A to capture traffic on GigabitEthernet0/0 and send it to the IP address 10.1.1.100. The monitoring server does not receive any packets. The engineer verifies that IP connectivity exists between Router A and the server. What is the most likely cause?

A.The ERSPAN session is missing a tunnel interface configuration.
B.The monitoring server is not listening on the correct UDP port.
C.The source interface is not in the same subnet as the destination IP.
D.The ERSPAN session is configured with the wrong source IP address.
AnswerA

Correct because ERSPAN encapsulates monitored traffic in GRE tunnels; a tunnel interface must be configured and referenced in the monitor session.

Why this answer

ERSPAN requires a tunnel interface to encapsulate the monitored traffic. Without configuring a tunnel interface, the ERSPAN session cannot encapsulate the packets for transport to the remote destination.

27
MCQhard

An engineer configures RSPAN on a switch stack to monitor traffic from a VLAN. The RSPAN destination port is on a different stack member. The mirrored traffic works intermittently, with gaps during stack master re-election. What is the most likely explanation?

A.RSPAN traffic traverses the stack ring, which is disrupted during master re-election.
B.The RSPAN VLAN is pruned on the stack ring due to VTP pruning.
C.The RSPAN session is configured on the master only, and does not survive failover.
D.The destination port is on a different VLAN than the source, causing a mismatch.
AnswerA

The stack ring is used for inter-member communication; a master change can cause temporary disruption.

Why this answer

In a switch stack, RSPAN traffic is forwarded across the stack ring. During master re-election, the stack ring may briefly go down or reconverge, causing loss of RSPAN traffic. Additionally, if the RSPAN VLAN is not configured consistently across all stack members, traffic may be dropped.

28
MCQhard

An engineer configures SPAN on a Cisco switch to monitor traffic from a port that is also a SPAN destination for another session. The switch rejects the configuration. What is the most likely reason?

A.A SPAN destination port cannot be a SPAN source port due to hardware restrictions.
B.The SPAN session ID must be unique; overlapping sessions cause conflicts.
C.The switch has reached the maximum number of SPAN sessions.
D.The port is a trunk, and SPAN cannot monitor trunk ports as destinations.
AnswerA

The switch enforces that a port used as a destination cannot also be a source, as it would create a loop in the monitoring path.

Why this answer

A SPAN destination port cannot be used as a SPAN source port in any session. This is a hardware limitation: the port is dedicated to receiving mirrored traffic and cannot also be monitored. The switch will return an error if you try to configure it as a source.

29
Drag & Drophard

Drag and drop the steps to troubleshoot SPAN, RSPAN, and ERSPAN adjacency or connectivity failures into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

Begin by checking the SPAN/RSPAN/ERSPAN session status with show commands. Then, verify that the source and destination VLANs or interfaces are up. Next, confirm that any intermediate switches support the required encapsulation.

After that, test IP connectivity for ERSPAN destinations using ping. Finally, review ACLs or filters that might block mirrored traffic.

30
MCQmedium

A network engineer runs the following command on switch SW5: SW5# show monitor session 7 Session 7 --------- Type : Local Session Source Ports : Both : Gi0/11 Destination Ports : Gi0/12 Encapsulation : Replicate Ingress : Disabled Based on this output, which statement is correct?

A.The SPAN session will replicate the original VLAN tag on the mirrored traffic sent to Gi0/12.
B.The SPAN session will strip the VLAN tag from the mirrored traffic.
C.The SPAN session is using RSPAN because the encapsulation is set to Replicate.
D.The SPAN session is misconfigured because encapsulation Replicate is not supported.
AnswerA

The encapsulation type 'Replicate' indicates that the original VLAN tag is preserved.

Why this answer

This is a local SPAN session with source port Gi0/11 and destination port Gi0/12. The encapsulation is set to 'Replicate', which means the mirrored traffic retains its original VLAN tag. This is typical when the destination port is a trunk port and the analyzer expects tagged traffic.

31
MCQhard

An engineer configures ERSPAN on a Cisco router to monitor traffic on interface GigabitEthernet0/0/0 and send it to a monitoring server at 192.168.1.100. The engineer configures the ERSPAN session with a tunnel source of 10.0.0.1 and a tunnel destination of 192.168.1.100. The monitoring server receives no packets. The engineer pings 192.168.1.100 from the router and succeeds. What is the most likely cause?

A.The monitoring server does not have a route to the tunnel source IP 10.0.0.1.
B.The ERSPAN session is configured with the wrong direction.
C.The router does not support ERSPAN.
D.The monitoring server is not listening on the correct TCP port.
AnswerA

Correct because the server needs to be able to respond to or process GRE packets; if it cannot reach the tunnel source, the packets may be discarded.

Why this answer

ERSPAN uses GRE encapsulation, and the tunnel destination must be the IP address of the monitoring server that can decapsulate GRE. However, the tunnel source IP must be reachable from the server; if the server does not have a route back to the tunnel source, the encapsulated packets may be dropped.

32
MCQmedium

An engineer configures RSPAN on a Cisco switch to monitor traffic from VLAN 10 across multiple switches. The engineer creates an RSPAN VLAN (VLAN 100) on the source switch and configures the source as VLAN 10. On the remote switch, the engineer configures the destination port as GigabitEthernet0/1 in VLAN 100. However, the destination port does not forward any monitored traffic. What is the most likely cause?

A.The RSPAN VLAN is not allowed on the trunk links between the switches.
B.The destination port is configured as an access port in VLAN 100.
C.The source switch does not have the RSPAN VLAN configured as a remote-span VLAN.
D.The destination port is not configured with 'monitor session' on the remote switch.
AnswerA

Correct because the RSPAN VLAN must be permitted on all intermediate trunks for the monitored traffic to traverse the network.

Why this answer

RSPAN requires that the RSPAN VLAN be allowed on all trunk links between the source and destination switches. If the RSPAN VLAN is not allowed on the trunk, the traffic will not reach the destination.

33
MCQhard

An engineer configures ERSPAN on Router R1 to monitor traffic from VLAN 100 to a remote collector at 192.168.10.10 via a GRE tunnel. The source interface is GigabitEthernet0/0/0. After configuration, the collector receives no mirrored packets. R1's configuration: monitor session 1 type erspan-source source interface Gi0/0/0 both destination erspan-id 100 ip address 192.168.10.10 origin ip address 10.1.1.1 no shutdown. R1's routing table shows a default route via 10.1.1.2, and a static route to 192.168.10.0/24 via 10.1.1.2. The tunnel interface Tunnel0 is up/up with IP 10.1.1.1/30. What is the most likely root cause?

A.The monitor session is administratively down due to a missing 'no shutdown' command.
B.The ERSPAN destination IP address is in a different VRF that is not reachable from the source VRF.
C.The GRE tunnel interface is used for the ERSPAN source IP, causing a recursive routing loop because the destination IP is routed via the tunnel's next-hop.
D.The ERSPAN session ID 100 conflicts with an existing GRE key on the tunnel.
AnswerC

The source IP 10.1.1.1 is the tunnel interface IP, and the destination 192.168.10.10 is routed via 10.1.1.2, which is the tunnel's next-hop. This recursion causes the encapsulated packet to be dropped.

Why this answer

ERSPAN encapsulates mirrored packets in GRE with a destination IP of the collector. The router must have a route to the collector IP, but the encapsulated packets use the routing table of the default VRF. If the destination IP is reachable via a route that points to a next-hop that is not directly connected, the router may attempt to use the GRE tunnel interface itself, causing a recursive routing loop.

The GRE tunnel interface IP (10.1.1.1) is used as the source, but the destination 192.168.10.10 is routed via 10.1.1.2, which is the tunnel's next-hop. This creates a recursion: the packet is encapsulated with destination 192.168.10.10, then routed, which again matches the tunnel, leading to a loop and packet drop. The fix is to use a separate source IP or ensure the route to the collector does not point back through the tunnel.

34
MCQhard

A network engineer configures an ERSPAN session on a Cisco router to monitor traffic on interface GigabitEthernet0/0/0 and send it to a monitoring server at 172.16.1.100. The engineer uses the command 'monitor session 1 type erspan-source' and configures the tunnel. The monitoring server receives packets, but the packets contain only the original source and destination IP addresses of the monitored traffic, not the encapsulated GRE headers. What is the most likely cause?

A.The ERSPAN session is misconfigured, causing the router to forward the original packets instead of encapsulated copies.
B.The monitoring server is stripping the GRE headers before capturing.
C.The ERSPAN session is configured with the 'ip access-group' command that filters the encapsulated traffic.
D.The router is not running the correct IOS version that supports ERSPAN.
AnswerA

Correct because the router should send GRE-encapsulated packets; if it sends raw packets, the session configuration is incorrect.

Why this answer

ERSPAN encapsulates the original packet with a GRE header. If the monitoring server receives packets without GRE encapsulation, it means the router is not encapsulating the traffic correctly, possibly because the ERSPAN session is not configured with the correct tunnel source or destination.

35
MCQmedium

Consider the ERSPAN configuration on a router: monitor session 1 type erspan-source source interface GigabitEthernet0/0/1 both destination erspan-id 1 ip address 192.168.1.100 origin ip address 192.168.1.1 What is the primary purpose of the 'origin ip address' command?

A.It specifies the IP address of the monitoring device.
B.It defines the source IP address used in the ERSPAN GRE encapsulation.
C.It sets the IP address of the interface being monitored.
D.It enables ERSPAN on the specified interface.
AnswerB

This is the correct function of the origin IP address.

Why this answer

The origin IP address is the source IP used in the ERSPAN encapsulated packets, allowing the destination to identify the source of the mirrored traffic.

36
MCQmedium

A network engineer runs the following command to troubleshoot a SPAN issue: R1# show monitor session 1 detail Session 1 --------- Type : Local Session Source Ports : Both : Gi0/0 Destination Ports : Gi0/1 Encapsulation : Native Ingress : Disabled What does this output indicate?

A.The session is correctly configured to send traffic from Gi0/0 to Gi0/1.
B.The session is misconfigured because the destination port should have ingress enabled.
C.The session is misconfigured because the source port must be a VLAN.
D.The session is misconfigured because encapsulation must be set to 'replicate'.
AnswerA

The output confirms a local SPAN session with source port Gi0/0 and destination port Gi0/1.

Why this answer

The output shows a local SPAN session with source port Gi0/0 (both directions) and destination port Gi0/1. The destination port is configured with native encapsulation and no ingress traffic is allowed.

37
MCQhard

An engineer configures ERSPAN on a Cisco router to monitor traffic from a tunnel interface. The mirrored traffic shows the tunnel's inner IP headers, but the outer encapsulation is missing. What is the most likely cause?

A.ERSPAN on a tunnel interface captures the inner IP packet, not the encapsulated GRE/IPsec packet.
B.The ERSPAN session is configured with 'erspan-type' that strips the outer header.
C.The collector is not configured to decode GRE headers.
D.The tunnel interface is in a VRF, causing the outer header to be removed.
AnswerA

The tunnel interface processes the inner packet; the outer encapsulation is added later on the physical interface.

Why this answer

When monitoring a tunnel interface with ERSPAN, the router captures the traffic at the point where it enters the tunnel (before encapsulation) or exits (after decapsulation). To capture the encapsulated packets, the source must be the physical egress interface, not the tunnel interface. By default, ERSPAN on a tunnel interface shows the inner packet.

38
Multi-Selecthard

Which THREE commands are used to troubleshoot a SPAN session on a Cisco Catalyst switch? (Choose THREE.)

Select 3 answers
A.show monitor session 1
B.show monitor
C.debug monitor
D.show running-config | include monitor
E.show ip interface brief
AnswersA, B, C

Displays the operational status and configuration of a specific SPAN session.

Why this answer

'show monitor session 1' provides details of the session. 'show monitor' lists all sessions. 'debug monitor' enables debugging for SPAN operations. 'show running-config | include monitor' shows the configuration but is not a direct troubleshooting command for operational issues. 'show ip interface brief' shows IP status, not SPAN.

39
MCQhard

A network engineer configures SPAN on a switch to monitor traffic from VLAN 20 to a local analyzer on interface Gi0/1. The configuration: monitor session 1 source vlan 20 rx monitor session 1 destination interface Gi0/1. The analyzer sees no traffic. The switch runs OSPF and has a route to 0.0.0.0/0 via a neighbor. The Gi0/1 interface is configured as a trunk port with native VLAN 1. The analyzer is connected to a hub that also connects to another device. The other device sends traffic that causes the switch to learn MAC addresses on Gi0/1. What is the root cause?

A.The destination interface Gi0/1 is a trunk port, which is not supported for SPAN destinations; it must be an access port.
B.The source VLAN 20 is not allowed on the trunk port Gi0/1.
C.The analyzer is connected via a hub, causing a loop that disables the port.
D.The monitor session is missing the 'no shutdown' command.
AnswerA

SPAN destination ports must be access ports; trunk ports are not allowed as SPAN destinations.

Why this answer

SPAN destination ports should not be used for normal traffic; they are dedicated to monitoring. If the destination port is configured as a trunk, it may participate in spanning tree and learn MAC addresses. However, the key issue is that SPAN does not work if the destination port is a trunk port that is also used for other traffic.

The switch may be forwarding traffic from other VLANs to the analyzer, but the mirrored traffic from VLAN 20 may be dropped because the destination port is not in the correct VLAN. Specifically, the destination port should be an access port in the same VLAN as the source, or if it is a trunk, the mirrored traffic is sent as untagged or tagged depending on the configuration. The analyzer may not receive traffic if the native VLAN mismatch occurs.

The correct root cause is that the destination port is a trunk with native VLAN 1, but the mirrored traffic from VLAN 20 is tagged with VLAN 20, and the analyzer may not understand the tag. However, the more subtle issue is that the switch may not allow the destination port to be a trunk for SPAN; it must be an access port. The correct answer is that SPAN destination ports cannot be trunk ports.

40
Drag & Dropmedium

Drag and drop the steps to configure an ERSPAN session for remote traffic capture into the correct order, from first to last.

Drag steps to the numbered slots on the right, or tap a step then tap a slot.

Steps
Order
1Step 1
2Step 2
3Step 3
4Step 4
5Step 5

Why this order

First, you must define the source interface and traffic direction. Next, specify the ERSPAN ID and destination IP address. Then, configure the ERSPAN origin IP address on the source switch.

After that, enable the ERSPAN session globally. Finally, verify the session is active.

41
MCQhard

A network engineer configures RSPAN on a switch to monitor traffic from VLAN 10 to a remote switch via VLAN 100 as the RSPAN VLAN. The source switch has: monitor session 1 source vlan 10 rx monitor session 1 destination remote vlan 100. The remote switch has: monitor session 2 source remote vlan 100 monitor session 2 destination interface Gi0/1. The remote switch's Gi0/1 is connected to a network analyzer. The analyzer sees no traffic. The RSPAN VLAN 100 is configured on all intermediate switches with the 'remote-span' command. However, the intermediate switches run MST and VLAN 100 is mapped to a different MST instance than the native VLAN. What is the root cause?

A.The RSPAN VLAN is not allowed on the trunk ports between switches.
B.MST maps VLAN 100 to a different instance, causing the port to be in a blocking state for that instance, thus dropping RSPAN traffic.
C.The 'remote-span' command is missing on the source and destination switches.
D.The RSPAN VLAN must be the native VLAN on all trunks.
AnswerB

MST can block VLANs in different instances, preventing RSPAN traffic from traversing.

Why this answer

RSPAN relies on flooding the mirrored traffic across the RSPAN VLAN. In MST, if the RSPAN VLAN is mapped to a different MST instance than the native VLAN, the spanning-tree topology may block the RSPAN VLAN on some ports. Specifically, if the RSPAN VLAN is in a different MST instance, the port may be in a blocking state for that instance, preventing the mirrored traffic from reaching the destination.

The 'remote-span' command does not override MST behavior. The fix is to map the RSPAN VLAN to the same MST instance as the native VLAN or use a single spanning-tree region.

42
MCQmedium

What is the default ERSPAN encapsulation type on Cisco IOS-XE devices?

A.ERSPAN Type I
B.ERSPAN Type II
C.ERSPAN Type III
D.ERSPAN Type IV
AnswerB

Type II is the default, with a 4-byte GRE header and 4-byte ERSPAN header, including a sequence number.

Why this answer

ERSPAN defaults to Type II encapsulation, which uses a 4-byte GRE header with a 4-byte ERSPAN header (8 bytes total). Type III is optional and requires explicit configuration.

43
MCQhard

A network engineer runs the following command on switch SW4: SW4# show monitor session 6 Session 6 --------- Type : Local Session Source Ports : Both : Gi0/8, Gi0/9 Destination Ports : Gi0/10 Encapsulation : Native Ingress : Enabled Based on this output, which statement is correct?

A.The SPAN session is configured correctly and will forward traffic received on Gi0/10 into the network.
B.The SPAN session is misconfigured because source ports cannot be monitored in both directions.
C.The SPAN session is using RSPAN because the destination port has ingress enabled.
D.The SPAN session is disabled because the destination port has ingress enabled.
AnswerA

Ingress enabled on the destination port allows traffic received on that port to be forwarded, which is atypical and can cause issues.

Why this answer

This is a local SPAN session with source ports Gi0/8 and Gi0/9, and destination port Gi0/10. The destination port has ingress enabled, which means traffic received on Gi0/10 will be processed and forwarded by the switch. This is unusual because SPAN destination ports typically have ingress disabled to prevent loops and forwarding of mirrored traffic.

This configuration can cause network issues.

44
MCQmedium

A network engineer runs the following command on router R4: R4# show monitor session 9 Session 9 --------- Type : ERSPAN Source Session Status : Admin Disabled Source Ports : Both : Gi0/2 Destination IP : 192.168.2.20 Origin IP : 10.0.0.3 ERSPAN ID : 200 Based on this output, which statement is correct?

A.The ERSPAN session is configured but not currently active because it is administratively disabled.
B.The ERSPAN session is actively mirroring traffic from Gi0/2 to 192.168.2.20.
C.The ERSPAN session is using RSPAN because the status is disabled.
D.The ERSPAN session is misconfigured because the origin IP is missing.
AnswerA

The status 'Admin Disabled' indicates the session is not active.

Why this answer

This is an ERSPAN source session that is administratively disabled. The configuration is present but not active. To enable it, the engineer must use the 'no shutdown' command under the session configuration.

45
MCQmedium

A network engineer configures SPAN on a Cisco Catalyst switch to monitor traffic between two hosts. The engineer configures the source interface as GigabitEthernet0/1 and the destination interface as GigabitEthernet0/2. After the configuration, the engineer notices that the monitored traffic is not being forwarded to the destination port. What is the most likely cause?

A.The destination port is not in the same VLAN as the source port.
B.The destination port is configured as a trunk port.
C.The destination port is in a blocking state due to Spanning Tree Protocol.
D.The source interface is not in the same VLAN as the destination interface.
AnswerC

Correct because SPAN destination ports are not expected to participate in STP; they should be configured with 'spanning-tree portfast' to avoid blocking.

Why this answer

SPAN destination ports must be configured with the 'spanning-tree portfast' command to avoid being blocked by Spanning Tree Protocol (STP). Without this, the destination port may remain in a blocking state.

46
MCQeasy

Which of the following is true about the SPAN source interface configuration?

A.By default, both ingress and egress traffic are monitored.
B.By default, only ingress traffic is monitored.
C.By default, only egress traffic is monitored.
D.The direction must always be specified; there is no default.
AnswerB

When configuring a SPAN source interface without specifying direction, only ingress traffic is mirrored.

Why this answer

A SPAN source interface can be configured to monitor both ingress and egress traffic, or either direction. By default, only ingress traffic is monitored if no direction is specified.

47
MCQmedium

A network engineer runs the following command on switch SW3: SW3# show monitor session 3 Session 3 --------- Type : Remote Destination Session Source Ports : RX Only : Gi0/6 Destination Ports : Gi0/7 Encapsulation : Native Ingress : Disabled Based on this output, which statement is correct?

A.The session is an RSPAN destination session, and traffic from the RSPAN VLAN is received on Gi0/6 and sent to Gi0/7.
B.The session is an ERSPAN destination session because it uses RX only.
C.The session is a local SPAN session with source port Gi0/6.
D.The session is misconfigured because the destination port has ingress disabled.
AnswerA

The type 'Remote Destination Session' confirms RSPAN destination, with Gi0/6 as source and Gi0/7 as destination.

Why this answer

This is an RSPAN destination session. It receives mirrored traffic from the RSPAN VLAN via source port Gi0/6 (RX only) and sends it to destination port Gi0/7 for analysis. The source port is typically a trunk port carrying the RSPAN VLAN.

48
MCQmedium

Which statement about the SPAN destination port behavior is correct?

A.The SPAN destination port operates in full-duplex mode by default.
B.The SPAN destination port can participate in Spanning Tree Protocol (STP) if configured.
C.The SPAN destination port is automatically placed in a forwarding state and does not run STP.
D.The SPAN destination port can be used as a normal switch port after removing the SPAN configuration.
AnswerC

The destination port is put into a forwarding state and STP is disabled to avoid loops; it only transmits mirrored traffic.

Why this answer

By default, a SPAN destination port does not participate in any Layer 2 protocols (like STP, CDP, DTP) and does not forward or receive normal traffic; it only transmits mirrored packets.

49
MCQhard

Router R1 is configured as an ERSPAN source to monitor traffic on interface Serial0/0/0. The destination is a collector at 172.16.1.100. R1's configuration: monitor session 1 type erspan-source source interface Serial0/0/0 both destination erspan-id 1 ip address 172.16.1.100 origin ip address 10.0.0.1. The collector is reachable via a default route. The network also uses CoPP (Control Plane Policing) with a policy that polices all incoming traffic to the control plane. The collector receives no packets. What is the most likely issue?

A.The ERSPAN destination IP is not in the routing table, so packets are dropped.
B.CoPP is policing the locally generated ERSPAN packets, causing them to be dropped.
C.The ERSPAN session is not configured with 'no shutdown'.
D.The source interface Serial0/0/0 is down, so no traffic is mirrored.
AnswerB

ERSPAN packets are locally generated and may be subject to CoPP if the policy applies to control plane input.

Why this answer

ERSPAN encapsulated packets are sent to the destination IP using the routing table. When the router sends these packets, they are generated by the router itself (locally originated). CoPP typically applies to traffic destined to the control plane, not to transit traffic.

However, ERSPAN packets are locally generated and may be subject to CoPP if the policy is applied to the control plane input. Specifically, if the CoPP policy classifies all IP traffic to the control plane, the ERSPAN packets might be policed and dropped. But more subtly, the ERSPAN process may use the control plane to generate the packets, and if the CoPP rate-limits the control plane, the packets might be dropped.

The correct root cause is that CoPP is rate-limiting the ERSPAN traffic because the router treats the mirrored packets as control plane traffic.

50
MCQhard

An engineer configures ERSPAN on Router R1 to monitor traffic from VLAN 30 to a collector at 192.168.1.100. The router has multiple VRFs: VRF A and VRF B. The source interface Gi0/0/0 is in VRF A. The collector is in VRF B. R1's configuration: monitor session 1 type erspan-source source interface Gi0/0/0 both destination erspan-id 2 ip address 192.168.1.100 origin ip address 10.0.0.1. The collector is reachable via a route in VRF B. The router has a route-leaking configuration between VRFs. The collector receives no traffic. What is the root cause?

A.The ERSPAN session must be configured with the 'vrf' keyword under the destination to use VRF B.
B.The source interface is in VRF A, but the ERSPAN source IP must be in the same VRF as the destination.
C.The route-leaking configuration is incorrect, preventing reachability between VRFs.
D.The ERSPAN session ID 2 conflicts with a VRF ID.
AnswerA

Without the VRF keyword, ERSPAN uses the global routing table, which lacks a route to the collector in VRF B.

Why this answer

ERSPAN uses the global routing table by default to route the encapsulated packets to the destination IP. If the source interface is in a VRF, the mirrored traffic is still sent using the global routing table unless the ERSPAN session is configured with a VRF. The destination IP 192.168.1.100 is in VRF B, but the global routing table may not have a route to it.

The route-leaking between VRFs does not affect the ERSPAN process because the encapsulated packet is sourced from the global routing table. The fix is to configure the ERSPAN session with the 'vrf' keyword under the destination to specify the VRF. Alternatively, the source IP must be in the same VRF as the destination.

The correct root cause is that the ERSPAN session does not specify the VRF, so it uses the global table, which has no route to the collector.

51
MCQmedium

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show monitor session 3 detail Session 3 --------- Type : ERSPAN Source Session Source Ports : Both : Gi0/0 Destination IP : 10.1.1.1 ERSPAN ID : 100 What does this output indicate?

A.The session is correctly configured as an ERSPAN source session.
B.The session is misconfigured because the destination must be a VLAN, not an IP.
C.The session is misconfigured because the source port must be a VLAN.
D.The session is misconfigured because the ERSPAN ID must match on both source and destination.
AnswerA

The output confirms an ERSPAN source session with a destination IP and ERSPAN ID.

Why this answer

The output shows an ERSPAN source session with source port Gi0/0, destination IP 10.1.1.1, and ERSPAN ID 100. This is the source side of an ERSPAN configuration.

52
MCQmedium

A network engineer runs the following command to troubleshoot a SPAN issue: R1# debug monitor session 1 *Mar 1 00:00:01.123: MONITOR: Session 1: Packet captured on Gi0/0, forwarded to Gi0/1 *Mar 1 00:00:02.456: MONITOR: Session 1: Packet captured on Gi0/0, forwarded to Gi0/1 What does this output indicate?

A.The SPAN session is correctly forwarding packets from Gi0/0 to Gi0/1.
B.The SPAN session is misconfigured because packets should not be forwarded.
C.The SPAN session is misconfigured because the debug output shows errors.
D.The SPAN session is misconfigured because the destination port is not specified.
AnswerA

The debug output confirms successful packet forwarding.

Why this answer

The debug output shows that packets captured on source port Gi0/0 are being forwarded to destination port Gi0/1 for session 1. This indicates that the SPAN session is operational.

53
Multi-Selectmedium

Which TWO commands verify the operational status of a local SPAN session on a Cisco IOS-XE switch? (Choose TWO.)

Select 2 answers
A.show monitor session 1
B.show monitor
C.show spanning-tree
D.show interfaces
E.show vlan
AnswersA, B

Displays detailed information about a specific SPAN session, including source, destination, and operational status.

Why this answer

The 'show monitor session 1' command displays details of a specific SPAN session, including source and destination interfaces and operational state. The 'show monitor' command lists all configured SPAN sessions and their status. 'show spanning-tree' is unrelated, 'show interfaces' does not show SPAN status, and 'show vlan' is for VLAN information.

54
Multi-Selecthard

Which THREE symptoms indicate a misconfigured RSPAN session on a Cisco switch? (Choose THREE.)

Select 3 answers
A.The RSPAN VLAN is not allowed on the trunk between the source and destination switches.
B.The destination switch does not have the RSPAN VLAN created.
C.The source switch is missing the 'monitor session 1 source' command.
D.The native VLAN mismatch on the trunk link.
E.The routing protocol is not redistributing the RSPAN VLAN.
AnswersA, B, C

The RSPAN VLAN must be permitted on all trunk links in the path for traffic to traverse.

Why this answer

RSPAN requires a dedicated VLAN (RSPAN VLAN) that is trunked across the network. If the RSPAN VLAN is not allowed on the trunk, traffic fails to reach the destination. If the destination switch does not have the RSPAN VLAN configured, the session cannot receive traffic.

A missing 'monitor session' command on the source switch means no traffic is being captured. A native VLAN mismatch does not specifically affect RSPAN, and a routing protocol issue is not directly related to Layer 2 RSPAN.

55
MCQeasy

In ERSPAN, what is the default encapsulation type used for transporting mirrored packets across an IP network?

A.IPsec
B.GRE
C.MPLS
D.VXLAN
AnswerB

ERSPAN uses GRE encapsulation as defined by Cisco.

Why this answer

ERSPAN uses GRE (Generic Routing Encapsulation) to encapsulate the original packets for transport over an IP network.

56
MCQmedium

A network engineer runs the following command on router R3: R3# show monitor session 5 Session 5 --------- Type : ERSPAN Destination Session Status : Admin Enabled Source IP : 10.0.0.2 Destination Ports : Gi0/1 Encapsulation : Native Ingress : Disabled ERSPAN ID : 100 Based on this output, which statement is correct?

A.The ERSPAN destination session receives traffic from source IP 10.0.0.2 and sends it to Gi0/1.
B.The ERSPAN destination session sends traffic to source IP 10.0.0.2.
C.The session is an RSPAN destination session because it uses a destination port.
D.The session is misconfigured because the destination port has ingress disabled.
AnswerA

The output shows source IP 10.0.0.2, destination port Gi0/1, and ERSPAN ID 100, confirming this.

Why this answer

This is an ERSPAN destination session. It receives ERSPAN-encapsulated traffic from source IP 10.0.0.2 with ERSPAN ID 100, decapsulates it, and sends the original mirrored traffic to destination port Gi0/1. The session is administratively enabled.

57
MCQmedium

A network engineer runs the following command on switch SW1: SW1# show monitor session 1 Session 1 --------- Type : Local Session Source Ports : Both : Gi0/1, Gi0/2 Destination Ports : Gi0/3 Encapsulation : Native Ingress : Disabled Based on this output, which statement is correct?

A.The SPAN session is monitoring traffic on Gi0/1 and Gi0/2 and sending it to Gi0/3.
B.The SPAN session is monitoring traffic on Gi0/3 and sending it to Gi0/1 and Gi0/2.
C.The SPAN session is using RSPAN because the destination port has ingress disabled.
D.The SPAN session is not active because the destination port is not in forwarding state.
AnswerA

The output clearly shows source ports Gi0/1 and Gi0/2, destination port Gi0/3, and type Local Session, confirming this.

Why this answer

The output shows a local SPAN session with source ports Gi0/1 and Gi0/2, and destination port Gi0/3. The destination port is configured with native encapsulation and ingress is disabled, meaning traffic received on the destination port is not forwarded. The session is active and correctly configured.

58
MCQhard

A network engineer runs the following command to troubleshoot a SPAN issue: R1# show monitor session all Session 1 --------- Type : Local Session Source Ports : Both : Gi0/0 Destination Ports : Gi0/1 Encapsulation : Native Ingress : Disabled Session 2 --------- Type : Remote Source Session Source Ports : Both : Gi0/2 Destination RSPAN VLAN : 100 What does this output indicate?

A.Both sessions are correctly configured and can operate simultaneously.
B.Session 1 is misconfigured because it cannot coexist with an RSPAN session.
C.Session 2 is misconfigured because the RSPAN VLAN must be used only for RSPAN.
D.Both sessions are misconfigured because they use the same source port.
AnswerA

Multiple SPAN sessions can coexist on the same device.

Why this answer

The output shows two sessions: Session 1 is a local SPAN session, and Session 2 is an RSPAN source session. This is a valid configuration for multiple monitoring sessions.

59
MCQhard

A network engineer runs the following command on switch SW6: SW6# show monitor session 8 Session 8 --------- Type : Remote Source Session Source Ports : Both : Gi0/13 Source VLANs : TX Only : 200 Destination Ports : Gi0/14 Encapsulation : Dot1q Ingress : Disabled Based on this output, which statement is correct?

A.The RSPAN source session sends mirrored traffic to Gi0/14 with a Dot1q tag.
B.The RSPAN source session sends mirrored traffic to Gi0/14 without any VLAN tag.
C.The session is an ERSPAN source session because it uses Dot1q encapsulation.
D.The session is misconfigured because source VLANs cannot be TX only.
AnswerA

The encapsulation type 'Dot1q' means the traffic is tagged with the RSPAN VLAN.

Why this answer

This is an RSPAN source session. It monitors source port Gi0/13 and source VLAN 200 (TX only), and sends the mirrored traffic to destination port Gi0/14 with Dot1q encapsulation. The Dot1q encapsulation indicates that the destination port is a trunk port carrying the RSPAN VLAN.

The session is correctly configured.

60
MCQhard

An engineer configures SPAN on a Cisco switch to monitor traffic from a source VLAN. Unexpectedly, BPDU guard shuts down the monitoring port when a switch is connected to it. Which is the most likely explanation?

A.The SPAN destination port is configured with spanning-tree bpduguard enable, and a BPDU from the connected switch triggers errdisable.
B.The SPAN source VLAN includes the native VLAN, causing BPDUs to be forwarded to the destination port.
C.The SPAN destination port is in the same VLAN as the source, causing a loop that triggers BPDU guard.
D.The switch has PortFast enabled on the SPAN destination port, which automatically enables BPDU guard.
AnswerA

BPDU guard on a SPAN destination port causes errdisable upon BPDU reception, despite SPAN disabling STP on that port.

Why this answer

SPAN destination ports do not participate in spanning tree, but BPDU guard still operates on them if configured globally or per interface. When a BPDU is received on a SPAN destination port, BPDU guard errdisables the port, even though the port is not forwarding traffic.

61
MCQhard

An engineer configures SPAN on a Cisco switch to monitor traffic from a VLAN, but the VLAN includes a voice VLAN. The mirrored traffic shows only data traffic, not voice. What is the most likely explanation?

A.The SPAN source is configured for the data VLAN only, not the voice VLAN.
B.Voice traffic uses a different CoS value, which SPAN ignores.
C.The voice VLAN is configured as a native VLAN, which SPAN does not capture.
D.The switch has a security ACL that blocks voice traffic from being mirrored.
AnswerA

SPAN VLAN-based monitoring captures only the specified VLAN; the voice VLAN must be added separately.

Why this answer

Voice VLANs are often configured as separate VLANs (e.g., VLAN 100 for voice, VLAN 10 for data). If the SPAN source is a single VLAN, it only captures traffic on that VLAN. To capture both, the SPAN session must include both VLANs or use a port-based source that includes both.

62
MCQmedium

A network engineer configures a SPAN session on a Cisco switch to monitor traffic on interface GigabitEthernet0/1 and sends it to interface GigabitEthernet0/2. The engineer notices that the destination port is up but does not forward any traffic. The engineer checks the configuration and sees that the destination port is configured as a trunk port. What is the most likely cause?

A.The destination port is configured as a trunk port instead of an access port.
B.The source interface is in a different VLAN than the destination interface.
C.The SPAN session is configured with the 'rx' direction only.
D.The destination port is not in the same VLAN as the source interface.
AnswerA

Correct because SPAN destination ports should be access ports; trunk ports are not supported for SPAN destinations on most platforms.

Why this answer

SPAN destination ports should be access ports, not trunk ports. If a trunk port is used as a destination, the switch may not forward the monitored traffic correctly because the port expects tagged traffic.

63
Multi-Selectmedium

Which TWO statements about RSPAN are true? (Choose TWO.)

Select 2 answers
A.RSPAN uses a dedicated VLAN to carry monitored traffic between switches.
B.The RSPAN VLAN must be allowed on all trunk links between the source and destination switches.
C.RSPAN encapsulates traffic in GRE headers for transport across Layer 3 networks.
D.RSPAN requires a dedicated monitoring server at the source switch.
E.RSPAN can only be configured on a single switch.
AnswersA, B

The RSPAN VLAN is used to transport mirrored traffic across the network.

Why this answer

RSPAN uses a dedicated VLAN (the RSPAN VLAN) to transport monitored traffic across switches. This VLAN must be configured on all switches in the path and trunked. It does not use GRE encapsulation (that is ERSPAN).

It does not require a separate monitoring server at the source, and it is not limited to a single switch.

64
MCQmedium

Consider the following partial configuration on a Cisco IOS-XE switch: monitor session 1 source interface GigabitEthernet1/0/1 both monitor session 1 destination interface GigabitEthernet1/0/2 What is the effect of this configuration?

A.It copies all traffic received and transmitted on GigabitEthernet1/0/1 to GigabitEthernet1/0/2.
B.It copies only ingress traffic from GigabitEthernet1/0/1 to GigabitEthernet1/0/2.
C.It copies only egress traffic from GigabitEthernet1/0/1 to GigabitEthernet1/0/2.
D.It copies traffic from GigabitEthernet1/0/2 to GigabitEthernet1/0/1.
AnswerA

The 'both' keyword specifies both ingress and egress traffic.

Why this answer

This configures a local SPAN session that copies traffic from GigabitEthernet1/0/1 (both ingress and egress) to GigabitEthernet1/0/2 for monitoring.

65
MCQhard

A switch is configured with RSPAN to monitor traffic from VLAN 50 to a remote switch via VLAN 200. The source switch has: monitor session 1 source vlan 50 rx monitor session 1 destination remote vlan 200. The remote switch has: monitor session 2 source remote vlan 200 monitor session 2 destination interface Gi0/2. The intermediate switches have VLAN 200 configured with 'remote-span'. The network uses VTP transparent mode. The analyzer connected to Gi0/2 sees intermittent traffic. The RSPAN VLAN 200 is also used as a native VLAN on some trunk ports. What is the likely cause of intermittent traffic?

A.The RSPAN VLAN 200 is also the native VLAN on some trunks, causing the mirrored frames to be sent untagged and possibly dropped.
B.VTP transparent mode prevents RSPAN from working correctly.
C.The source VLAN 50 is not allowed on the trunk ports.
D.The monitor session 2 is missing the 'no shutdown' command.
AnswerA

When the RSPAN VLAN is the native VLAN, frames are sent untagged, but the receiving switch expects tagged frames for the RSPAN VLAN.

Why this answer

RSPAN traffic is flooded across the RSPAN VLAN. If the RSPAN VLAN is used as the native VLAN on trunk ports, the switch may treat the RSPAN frames as untagged. However, RSPAN expects the frames to be tagged with the RSPAN VLAN ID.

When the native VLAN is the same as the RSPAN VLAN, the frames may be sent untagged on the trunk, but the receiving switch may interpret them as belonging to the native VLAN, causing them to be dropped or misdirected. This can lead to intermittent loss because the native VLAN handling may vary. The correct fix is to ensure the RSPAN VLAN is not the native VLAN on any trunk.

66
Multi-Selecthard

Which TWO statements about ERSPAN source session configuration are correct? (Choose TWO.)

Select 2 answers
A.The source session must include the 'type erspan-source' keyword.
B.The source session can use an IPv6 address for the destination without any additional configuration.
C.The source session must specify the 'erspan-id' and 'ip address' under the destination configuration.
D.The source session can be configured to use a VRF for the destination IP reachability.
E.The source session automatically creates a GRE tunnel interface that can be verified with 'show ip interface brief'.
AnswersA, C

Correct. The 'monitor session <session> type erspan-source' command defines the session as an ERSPAN source.

Why this answer

ERSPAN encapsulates mirrored traffic in GRE and sends it over an IP network. The source session must specify a type (ethernet or vlan), source interfaces or VLANs, and the destination ERSPAN ID along with the IPv4 or IPv6 address of the destination. The destination session on the remote switch decapsulates the GRE tunnel and presents the traffic to a local destination port.

67
Multi-Selectmedium

Which TWO configuration steps are required to set up an ERSPAN session on a Cisco IOS-XE device? (Choose TWO.)

Select 2 answers
A.monitor session 1 type erspan-source
B.destination erspan-id 1 ip address 192.168.1.100
C.shutdown
D.no monitor session 1
E.ip route 192.168.1.0 255.255.255.0 GigabitEthernet0/1
AnswersA, B

Creates an ERSPAN source session on the device.

Why this answer

ERSPAN encapsulates monitored traffic in GRE and sends it to an IP destination. The 'monitor session 1 type erspan-source' command defines the session as an ERSPAN source. The 'destination' command under that session specifies the IP address of the destination. 'source' is also needed but is not listed as an option here; 'shutdown' disables the session, 'no monitor session' removes it, and 'ip route' is for routing, not ERSPAN configuration.

68
MCQmedium

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show monitor session 5 detail Session 5 --------- Type : ERSPAN Destination Session Source IP : 10.1.1.2 ERSPAN ID : 100 Destination Ports : Gi0/3 Encapsulation : Native Ingress : Disabled What does this output indicate?

A.The session is correctly configured as an ERSPAN destination session.
B.The session is misconfigured because the source must be a VLAN, not an IP.
C.The session is misconfigured because the destination port must have ingress enabled.
D.The session is misconfigured because the ERSPAN ID must be different from the source session.
AnswerA

The output confirms an ERSPAN destination session with a source IP and ERSPAN ID.

Why this answer

The output shows an ERSPAN destination session with source IP 10.1.1.2, ERSPAN ID 100, and destination port Gi0/3. This is the destination side of an ERSPAN configuration.

69
Multi-Selecthard

Which TWO statements about the limitations of local SPAN are correct? (Choose TWO.)

Select 2 answers
A.A local SPAN session can only monitor traffic on the same switch where the session is configured.
B.A local SPAN destination port can be a routed port or a switchport in trunk mode.
C.A local SPAN session can monitor both ingress and egress traffic simultaneously on the same source interface.
D.A local SPAN session can include a VLAN as a source, which monitors all traffic in that VLAN except the control plane traffic.
E.A local SPAN session can have multiple destination ports to send the mirrored traffic to multiple analyzers.
AnswersA, C

Correct. Local SPAN is confined to a single switch; it cannot extend across switches.

Why this answer

Local SPAN has several restrictions: it cannot send traffic across Layer 3 boundaries, it can only use interfaces on the same switch, and it has limitations on the number of sessions and the types of traffic that can be mirrored (e.g., control plane traffic is not included).

70
MCQmedium

A network engineer runs the following command to troubleshoot an RSPAN issue: R1# show monitor session 2 detail Session 2 --------- Type : Remote Source Session Source Ports : Both : Gi0/0 Destination RSPAN VLAN : 100 What does this output indicate?

A.The session is correctly configured as an RSPAN source session.
B.The session is misconfigured because the destination must be a port, not a VLAN.
C.The session is misconfigured because the source port must be a VLAN.
D.The session is misconfigured because the RSPAN VLAN must be configured as a remote-span VLAN.
AnswerA

The output confirms an RSPAN source session with a specified RSPAN VLAN.

Why this answer

The output shows an RSPAN source session with source port Gi0/0 and destination RSPAN VLAN 100. This is the source side of an RSPAN configuration.

71
MCQhard

What is the default MTU size for ERSPAN encapsulated packets on Cisco IOS-XE?

A.1500 bytes
B.1492 bytes
C.The ERSPAN packet inherits the interface MTU, with no separate default.
D.The default ERSPAN MTU is 1518 bytes.
AnswerC

ERSPAN does not have a configurable MTU; it uses the interface MTU, and the encapsulation adds 8 bytes (Type II) overhead.

Why this answer

ERSPAN adds a GRE header (4 bytes) and an ERSPAN header (4 bytes for Type II) to the original packet. The default system MTU is 1500 bytes, but the ERSPAN packet may exceed this; however, the default MTU for the ERSPAN session itself is not explicitly set—it inherits the interface MTU. There is no separate default ERSPAN MTU; the question tests understanding that ERSPAN adds 8 bytes overhead.

72
MCQhard

What is the default ERSPAN ID range on Cisco IOS-XE devices?

A.1 to 256
B.1 to 1023
C.1 to 4096
D.1 to 65535
AnswerB

The ERSPAN ID range is 1 to 1023 on most Cisco IOS-XE platforms.

Why this answer

ERSPAN sessions use an ID from 1 to 1023 (or 1 to 256 on some platforms) to identify the session. The default is 1 if not specified.

73
MCQhard

An engineer configures RSPAN VLAN 100 on two switches to monitor traffic across the network. The remote switch shows the RSPAN source as active, but the destination switch receives no mirrored traffic. What is the most likely cause?

A.The RSPAN VLAN is not allowed on a trunk link between the source and destination switches.
B.The RSPAN VLAN is configured as a native VLAN on the trunk, causing VLAN tagging issues.
C.The destination switch has a different RSPAN VLAN ID configured for the session.
D.The source switch has not enabled RSPAN globally with the 'monitor session' command.
AnswerA

RSPAN traffic traverses the network in the RSPAN VLAN; if that VLAN is not permitted on an intermediate trunk, the traffic is dropped.

Why this answer

RSPAN requires that the RSPAN VLAN be created and allowed on all intermediate switches (trunks) between source and destination. If the RSPAN VLAN is pruned or not allowed on a trunk, the mirrored traffic never reaches the destination. Additionally, the RSPAN VLAN must not be used for user data.

74
MCQmedium

A network engineer runs the following command on router R2: R2# show monitor session 4 Session 4 --------- Type : ERSPAN Source Session Status : Admin Enabled Source Ports : Both : Gi0/0 Destination IP : 192.168.1.10 Origin IP : 10.0.0.2 ERSPAN ID : 100 Based on this output, which statement is correct?

A.The ERSPAN session is mirroring traffic from Gi0/0 to IP address 192.168.1.10 using ERSPAN ID 100.
B.The ERSPAN session is mirroring traffic from IP 192.168.1.10 to Gi0/0.
C.The ERSPAN session is using RSPAN encapsulation.
D.The ERSPAN session is disabled because the status is 'Admin Enabled'.
AnswerA

The output clearly shows source port Gi0/0, destination IP 192.168.1.10, and ERSPAN ID 100.

Why this answer

This is an ERSPAN source session. It mirrors traffic from source port Gi0/0 and encapsulates it with an ERSPAN header, sending it to destination IP 192.168.1.10 with origin IP 10.0.0.2 and ERSPAN ID 100. The session is administratively enabled.

75
MCQhard

A network engineer runs the following command to troubleshoot an ERSPAN issue: R1# show ip interface brief | include Gi0/0 GigabitEthernet0/0 10.1.1.1 YES NVRAM up up R1# show monitor session 7 detail Session 7 --------- Type : ERSPAN Source Session Source Ports : Both : Gi0/1 Destination IP : 10.1.1.2 ERSPAN ID : 300 What does this output indicate?

A.The ERSPAN session is correctly configured and the destination IP is reachable.
B.The ERSPAN session is misconfigured because the source port must have an IP address.
C.The ERSPAN session is misconfigured because the destination IP must be on the same subnet as the source.
D.The ERSPAN session is misconfigured because the ERSPAN ID must be unique across all sessions.
AnswerA

The interface is up and the destination IP is likely reachable.

Why this answer

The output shows that interface Gi0/0 has IP address 10.1.1.1 and is up/up, and ERSPAN session 7 has destination IP 10.1.1.2. This indicates that the ERSPAN source session is configured to send traffic to 10.1.1.2, which is reachable via Gi0/0.

Page 1 of 2 · 76 questions totalNext →

Ready to test yourself?

Try a timed practice session using only SPAN, RSPAN, and ERSPAN questions.