Cisco 4500M Software Manual page 536

Overview of SPAN and RSPAN
For SPAN configuration, the source interfaces and the destination interface must be on the same switch.
SPAN does not affect the switching of network traffic on source interfaces; copies of the packets received
or transmitted by the source interfaces are sent to the destination interface.
Figure 39-1 Example SPAN Configuration
E2
E1
RSPAN extends SPAN by enabling remote monitoring of multiple switches across your network. The
traffic for each RSPAN session is carried over a user-specified RSPAN VLAN that is dedicated for that
RSPAN session in all participating switches. The SPAN traffic from the sources is copied onto the
RSPAN VLAN and then forwarded over trunk ports that are carrying the RSPAN VLAN to any RSPAN
destination sessions monitoring the RSPAN VLAN, as shown in
Figure 39-2 Example of RSPAN Configuration
Source switch
RSPAN
source port
SPAN and RSPAN do not affect the switching of network traffic on source ports or source VLANs; a
copy of the packets received or sent by the sources is sent to the destination. Except for traffic that is
required for the SPAN or RSPAN session, by default, destination ports do not receive or forward traffic.
You can use the SPAN or RSPAN destination port to forward transmitted traffic from a network security
device. For example, if you connect a Cisco Intrusion Detection System (IDS) sensor appliance to a
destination port, the IDS device can send TCP reset packets to close down the TCP session of a suspected
attacker.
Software Configuration Guide—Release 12.2(25)EW
39-2
1 2 3 4 5 6 7 8 9 10 11 12
E6 E7
E11
E5 E8
E4 E9
E3
E10
Network analyzer
RSPAN
VLAN
Port 5 traffic mirrored
on port 10
E12
Intermediate switch
RSPAN
VLAN
Chapter 39 Configuring SPAN and RSPAN
Figure 39-2.
Destination switch
RSPAN
destination port
OL-6696-01