NetFort Advertising

Multiple SPAN destinations on a Cisco switch

network switch

How to setup multiple SPAN destinations

SPAN or mirror ports are getting more and more popular. They provide such a rich source of user activity data that they can easily run out. Cisco switches for example will only allow you to setup two SPAN sessions per switch.

What if you want to connect up another monitoring tool and you find that both sessions are in use? The answer is very straightforward, you can actually specify two destinations for one SPAN session. In the following example we have our firewall connected to port 10 on the core switch and we want to send a copy of the traffic going to and from this port to ports 1 and 2. The main thing to watch out for is the use of spaces. There is a space after the 1 and after the comma.

monitor session 1 source interface Gi0/10

monitor session 1 destination interface Gi0/1 , Gi0/2

The following extract is from the Cisco configuration guide which gives a bit more detail on this feature. You can also get more information about setting up SPAN sessions on other switches on our core switch documentation page.

monitor session session_numberdestination {interfaceinterface-id [, | -] [encapsulation {dot1q |replicate}]}

For interface-id, specify the destination  port. The destination interface must be a physical port; it cannot be an  EtherChannel, and it cannot be a VLAN.

(Optional) [, | -] Specify a series or range of interfaces. Enter a space before and after the comma; enter a space before and after the hyphen.

(Optional) Enter encapsulation dot1q to specify that the destination interface uses the IEEE 802.1Q encapsulation method.

(Optional) Enter encapsulation replicate to specify  that the destination interface replicates the source interface  encapsulation method. If not selected, the default is to send packets in  native form (untagged).

Note You can use monitor session session_number destination command multiple times to configure multiple destination ports.