CHAPT ER
32-1
Catalyst 3750-X and 3560-X Switch Software Configuration Guide
OL-21521-01
32
Configuring SPAN and RSPAN
This chapter describes how to configure Switched Port Analyzer (SPAN) and Remote SPAN (RSPAN)
on the Catalyst 3750-X or 3560-X switch. Unless otherwise noted, the term switch refers to a
Catalyst 3750-X or 3560-X standalone switch and to a Catalyst 3750-X switch stack.
Note For complete syntax and usage information for the commands used in this chapter, see the command
reference for this release.
Understanding SPAN and RSPAN, page 32-1
Understanding Flow-Based SPAN, page 32-11
Configuring SPAN and RSPAN, page 32-12
Configuring FSPAN and FRSPAN, page 32-24
Displaying SPAN, RSPAN. FSPAN, and FRSPAN Status, page 32-28

Understanding SPAN and RSPAN

You can analyze network traffic passing through ports or VLANs by using SPAN or RSPAN to send a
copy of the traffic to another port on the switch or on another switch that has been connected to a network
analyzer or other monitoring or security device. SPAN copies (or mirrors) traffic received or sent (or
both) on source ports or source VLANs to a destination port for analysis. SPAN does not affect the
switching of network traffic on the source ports or VLANs. You must dedicate the destination port for
SPAN use. Except for traffic that is required for the SPAN or RSPAN session, destination ports do not
receive or forward traffic.
Only traffic that enters or leaves source ports or traffic that enters or leaves source VLANs can be
monitored by using SPAN; traffic routed to a source VLAN cannot be monitored. For example, if
incoming traffic is being monitored, traffic that gets routed from another VLAN to the source VLAN
cannot be monitored; however, traffic that is received on the source VLAN and routed to another VLAN
can be monitored.
You can use the SPAN or RSPAN destination port to inject traffic from a network security device. For
example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a destination port,
the IDS device can send TCP reset packets to close down the TCP session of a suspected attacker.