CHAPTE R
27-1
Catalyst 2960 and 2960-S Switch Software Configuration Guide
OL-8603-09
27
Configuring SPAN and RSPAN
Note To use RSPAN, the switch must be running the LAN Base image.
This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN)
on the Catalyst 2960 and 2960-S switches. Unless otherwise noted, the term sw itch refers to a standalone
switch and a switch stack.
Note Stacking is supported only on Catalyst 2960-S switches running the LAN base image.
For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release.
This chapter consists of these sections:
Understanding SPAN and RSPAN, page 27-1
Configuring SPAN and RSPAN, page 27-10
Displaying SPAN and RSPAN Status, page 27-24

Understanding SPAN and RSPAN

You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a
copy of the traffic to another port on the switch or on another swi tch that has been connected to a network
analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or
both) on source ports or source VLANs to a destination port for a nalysis. SPAN does not affect the
switching of network traffic on the source ports or VLANs. You must dedicate the destination port for
SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not
receive or forward traffic.
Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be
monitored by using SPAN; traffic routed to a source VLAN cannot be monitored. For example, if
incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN
cannot be monitored; however, traffic that is received on the source VLAN and routed to another VLAN
can be monitored.
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For
example, if you connect a Cisco Intrusion Detection System (IDS) sensor a ppliance to a destination port,
the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.