Port Mirroring SPAN RSPAN Configuration FAQ: Expert Answers to Technical & Deployment Questions

Overview & Thematic Scope

This FAQ addresses the most common technical support and deployment questions surrounding port mirroring using SPAN (Switched Port Analyzer) and RSPAN (Remote SPAN). Whether you are a network engineer configuring local traffic analysis or planning a distributed IDS deployment across multiple switches, these answers are optimized for pre-sales validation and post-sales troubleshooting. All guidance assumes enterprise-grade switching hardware (e.g., Cisco Catalyst, Nexus).

Frequently Asked Questions

Q1: What is the fundamental difference between SPAN and RSPAN for port mirroring configuration?

SPAN mirrors traffic to a local destination port on the same switch, while RSPAN mirrors traffic across multiple switches using a dedicated RSPAN VLAN. SPAN is used when your monitoring tool (e.g., intrusion detection system) connects directly to the source switch. RSPAN encapsulates mirrored packets with a special VLAN ID, allowing them to traverse a trunk to a remote switch where the analyzer resides, consuming no separate router interface.

Q2: How many SPAN or RSPAN sessions can I configure simultaneously on a typical enterprise switch?

Most Cisco Catalyst 9300/9500 series support up to 4 active SPAN sessions and 2 RSPAN sessions concurrently, though limits vary by ASIC and software. For example, Catalyst 2960-X allows 2 SPAN or 2 RSPAN sessions total. Exceeding these limits will produce a configuration error. Always check your platform’s release notes; using a source VLAN in a session consumes one session slot, and destination ports cannot share a session.

Q3: What causes packet drops in SPAN/RSPAN configurations, and how do I resolve them?

Packet drops typically result from three issues: destination port oversubscription, mismatched speed/duplex, or microburst traffic exceeding the monitor port’s egress buffer. First, verify the destination port is faster or equal to the aggregated source bandwidth (e.g., if mirroring 4x1Gbps ports, use a 10Gbps destination). Second, disable auto-negotiation and hard-set speed/duplex. Third, use the ‘monitor session 1 rate-limit 100’ command to throttle ingress traffic or deploy a network packet broker (NPB) for burst-heavy flows.

Q4: Can I mirror a VLAN to a physical port using RSPAN across a Layer 3 boundary?

No, standard RSPAN cannot traverse a Layer 3 (routed) interface because the mirrored traffic remains inside a dedicated Layer 2 RSPAN VLAN. For Layer 3 boundary crossing, you must use ERSPAN (Encapsulated Remote SPAN), which tunnels mirrored packets over generic routing encapsulation (GRE) to an IP destination. ERSPAN requires hardware support (e.g., Catalyst 9000 series) and adds up to 42 bytes of header overhead.

Q5: What is the correct RSPAN configuration sequence to avoid accidental network loops?

Always create the dedicated RSPAN VLAN first on all switches, disable MAC address learning on that VLAN, then configure the session to prevent STP loops. Step-by-step: (1) ‘vlan 999; remote-span’ on source and destination switches. (2) On trunk interfaces, allow VLAN 999. (3) On source switch: ‘monitor session 2 type remote-source; source interface gig1/0/1 both; destination remote vlan 999’. (4) On destination switch: ‘monitor session 2 type remote-destination; destination interface gig2/0/10; source remote vlan 999’. Never place host devices in the RSPAN VLAN.

Q6: Does enabling SPAN or RSPAN impact the switching performance or forwarding plane on the source ports?

Port mirroring is handled in hardware (ASIC) on modern enterprise switches, causing zero performance degradation to the monitored source ports under normal load. However, enabling ‘ingress’ or ‘both’ direction monitoring on a heavily loaded port with 100% line-rate traffic may require the switch to replicate packets, consuming ASIC resources. In rare cases, you may see less than 0.5% latency increase. Avoid using CPU-impacted features (e.g., ACL logging) on mirrored sessions.

Q7: Can I monitor multiple source VLANs and exclude specific ports within those VLANs from a SPAN session?

No, when you specify a source VLAN, SPAN automatically includes all active ports in that VLAN without granular port exclusions. To exclude a specific port, you must either: (a) use a port-based SPAN source listing all desired ports individually, or (b) deploy an ACL on the SPAN source (platform dependent, e.g., ‘monitor access-list’) to filter out specific MAC/IP addresses. VLAN-based SPAN is all-or-nothing within that VLAN.

Q8: What is the maximum RSPAN VLAN distance and supported hop count across switches?

RSPAN supports up to 5 hops (switch-to-switch trunk traversals) with no explicit distance limit beyond standard Ethernet transmission distances (100m copper, 10km+ fiber). Each intermediate switch must have the RSPAN VLAN defined with ‘remote-span’ and must carry that VLAN across trunks. Beyond 5 hops, mirrored packets experience increased inter-frame gaps and may be dropped by the destination switch due to spanning tree reconvergence timers. For metro or campus-wide monitoring exceeding 5 hops, deploy ERSPAN.