Monitoring multiple VLANs with a single SPAN session

13 February 2015 NetFort Blog By: Darragh Delaney
How to monitor multiple VLANs

SPAN or mirror ports can be a rich source of network and user activity data. Most people set them up so that one port is mirroring another port. However most switches support many-to-one port mirroring. This means you can choose multiple ports or VLANs as the source.

In the following example we configure a SPAN session so that a monitoring tool connected on port 10 gets a copy of all traffic going into and out of VLANs 1 and 100. The main thing to watch out for is the use of spaces. There is a space after the 1 and after the comma.

monitor session 1 source VLAN 1 , 100 both

monitor session 1 destination interface Gi0/10

The following extract is from the Cisco configuration guide which gives a bit more detail on this feature. You can also get more information about setting up SPAN sessions on other switches on our core switch documentation page and you can learn about how you can have multiple SPAN destinations.

monitor session session_number source interface interface-id [, | ] [both | rx | tx]

Specify the SPAN session and the source port (monitored port).

For session_number, specify 1.

For interface-id, specify the source port to monitor. Valid interfaces include physical interfaces and port-channel logical interfaces (port-channel port-channel-number).

(Optional) [, | -] Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Specify the direction of traffic to monitor. If you do not specify a traffic direction, the source interface sends both sent and received traffic.

  • both—Monitor both received and sent traffic.
  • rx—Monitor received traffic.
  • tx—Monitor sent traffic.

monitor session session_number destination interface interface-id [encapsulation {dot1q}]

Specify the SPAN session and the destination port (monitoring port).

For session_number, specify 1.

For interface-id, specify the destination port. Valid interfaces include physical interfaces.

(Optional) Specify the encapsulation header for outgoing packets. If not specified, packets are sent in native form.

  • dot1q—Use 802.1Q encapsulation.

