How to Configure Port Mirroring on Cisco Switch

by
How to configure cisco span port

In this guide, you will learn how to configure port mirroring on a Cisco switch.

Port mirroring is also referred to as a Switch Port Analyzer (SPAN) port, and the two are interchangeable. I will use both throughout this article, just remember they mean the same thing.

Port mirroring is a way to collect network traffic from a physical interface or from VLANs. In basic terms port mirroring takes packets from a source (physical interface or VLAN) and copies them to another physical port. Port mirroring is typically used for monitoring and troubleshooting the network.

I’ll provide an example configuration for mirroring a single physical interface and for VLANs.

Let’s get started.

Network Diagram

In the diagram below, I have a server that is connected to port gi0/1 (source port). I want to mirror this port and send a copy of the packets to port gi0/8 (destination port). On the destination port, I’ll be using Wireshark to analyze the copied packets.

cisco span port network diagram

Steps to Configure Port Mirroring

These commands will work for both Catalyst and Nexus switches.

Before configuring a SPAN port, it’s a good idea to see if any already exist on your switch by using the command below.

show monitor session all

Step 1: Configure Source SPAN Port

To mirror port gi0/1 I’ll use the command below.

monitor session 1 source interface gi0/1

Here is a screenshot from my switch.

configure source span port command

Step 2: Configure Destination SPAN Port

I want to send a copy of all traffic from port gi0/1 to port gi0/8. 

monitor session 1 destination interface gi0/8

Here is a screenshot from my switch.

configure destination span port command

That is it! Pretty easy right?

To review the settings use the “show monitor session all” command. You can also view a single session by specifying the session number such as “show monitor session 1”.

show span sessions

Example 2: Configure Port Mirror for VLANs

In this example, I’ll enable port mirroring for VLAN 100. You can specify single or multiple VLANs.

Since I’m already using session 1 I’ll create a new session. 

monitor session 2 source vlan 100

If you want to monitor multiple VLANs you can specify a range, like below. 

monitor session 2 source VLAN 1 - 100

Since port gi0/8 is already used in session 1, I’ll configure a new destination port. 

monitor session 2 destination interface gi0/7

Now I have two port SPANs configured. I can view them both with the show monitor session all command.

show all span sessions

Nice work. If you followed along you should now be able to configure a SPAN port on a Cisco switch or router.

Now I will open Wireshark on my computer, select the interface that is connected to port Gi0/8 and I’ll see all of the traffic sent and received from port Gi0/1.

In this example, I’m sending pings from the server (connected to port Gi0/1) to another computer on the network. You can see in the screenshot below I’m getting copies of this traffic and I’m able to analyze it with Wireshark.

wireshark port mirror example

To remove a SPAN session use the command “no monitor session” and the session number. For example, I’ll remove session 1 

no monitor session 1
remove cisco span session

When I show all the sessions you can see session 1 is gone.

Resources

More Cisco Tutorials

Recommended Tool: SolarWinds Network Performance Monitor (NPM)

SolarWinds NPM is a powerful and easy-to-use software that can help you monitor, troubleshoot, and optimize your network performance.

Reduce network downtime, monitor network performance and availability, discover and map your network devices, analyze network capacity and hardware health, and much more.

You can start a free trial of NPM today and see for yourself how it can help you monitor your network more effectively. Just click on the link below to download NPM and get started.

Download Free Trial