Local-SPAN(LSPAN)

28 September 2025 Hüseyin Pala Computer Networking 0

SPAN stands for Switched Port Analyzer, and it is also known as port mirroring. SPAN is used for copying the traffic from a source port to a destination port for monitoring purposes. Traffic copying is not limited to ports but can be also be applied VLANs and Port-Channel interfaces.

SPAN can be applied in three different ways. These are:

  • Local-SPAN(LSPAN)
  • Remote-SPAN(RSPAN)
  • Encapsulated Remote-SPAN(ERSPAN)

In this article, we will focus on Local SPAN.

Local SPAN (LSPAN) is used when the source and destination ports are on the same switch.

The topology below will be used to explain the details of LSPAN more clearly.

aaa

In this example, the GigabitEthernet0/1 interface is used as the source port, so the traffic coming from this port will be copied to GigabitEthernet0/3, the monitoring port.

To do that, we can use the commands below.

Switch# configure terminal
Switch(config)# monitor session 1 source interface GigabitEthernet 0/1 both
Switch(config)# monitor session 1 destination interface GigabitEthernet 0/3
Switch(config)# exit
Switch# write memory

“monitor session 1 source interface GigabitEthernet 0/1 both”

In this command, we first set the session number to 1, then set the source interface, and finally specify which type of traffic will be copied to GigabitEthernet0/3. There are three types of traffic, and these are:

  • RX (Receive) – only the incoming traffic
  • TX (Transmit) – only the outgoing traffic
  • BOTH – both incoming and the outgoing traffic

In this example, we want to copy all the traffic from the GigabitEthernet0/1 interface to GigabitEthernet0/3, so we specify the BOTH option.

It is also possible to set the source to more than one interface or VLANs.

Switch-huseyinpala.com(config)# monitor session 6 source interface GigabitEthernet0/12 - 13 rx
(Both GigabitEthernet0/12 and the GigabitEthernet0/13 ports traffic will be copied. But just the incoming traffic of ports.)
Switch-huseyinpala.com(config)# monitor session 7 source vlan 12 - 13 both 
(Both VLAN 12 and VLAN 13 traffic will be copied. This time not only incoming traffic but also outgoing traffic.)

Ensure that your switch can handle all configured SPAN processes before setting up SPAN; otherwise, you may encounter serious problems.

The device on GigabitEthernet0/3 with IP address 10.0.0.30/24 is now used only for monitoring. The device is not able to generate traffic for itself, but it can now monitor the copied traffic. To do so, advanced network monitoring tools, such as Wireshark, can be used.

When we run the command below, we can see the status of the port.

Switch# show interfaces GigabitEthernet0/3
GigabitEthernet0/3 is up, line protocol is down (monitoring)
.
.
.

The command is used to view the details of the configured Local SPAN (LSPAN) on the switch.

Switch# show monitor session local

From now on, we can listen to both the outgoing and incoming traffic from GigabitEthernet0/1 on GigabitEthernet0/3.

Stay tuned for more computer-networks content.

About Hüseyin Pala 156 Articles
Junior Network Specialist

Be the first to comment

Leave a Reply

Your email address will not be published.


*