switch port mirroring is a Cisco switch feature that copies packets from one or more source ports to a destination port for network monitoring, configured via the monitor session CLI.
configure terminal
monitor session 1 source interface GigabitEthernet1/0/1 both
monitor session 1 destination interface GigabitEthernet1/0/24
endSyntax
# Global configuration mode
monitor session [session-number] source {interface [interface-id] | vlan [vlan-id]} [, | -] [both | rx | tx]
monitor session [session-number] destination {interface [interface-id] [encapsulation {dot1q | replicate}]}
monitor session [session-number] [no] shutdownTested on Cisco IOS XE 17.x with Catalyst 9200/9300 switches. The session number must be unique per switch (range 1-65535). Default direction is both; omitting the direction keyword enables both rx and tx.
Options and Flags
| Parameter | Type | Default | Description |
|---|---|---|---|
source |
Interface / VLAN | N/A | Port(s) to monitor; supports physical, port-channel, VLAN. |
destination |
Interface | N/A | Port receiving mirrored traffic; must be a single port. |
both | rx | tx |
Direction | both |
Monitor traffic direction: ingress (rx), egress (tx), or both. |
encapsulation replicate |
Keyword | None | Preserve original VLAN tag on mirrored frames; dot1q adds a new tag. |
shutdown |
Command | Session active | Disable a monitor session without removing configuration. |
Usage Examples
Monitor a single port to a collector
configure terminal
monitor session 1 source interface GigabitEthernet1/0/1 both
monitor session 1 destination interface GigabitEthernet1/0/24
endCopies all inbound and outbound traffic from port 1/0/1 to port 1/0/24 where a Wireshark or IDS is connected.
Monitor multiple ports using source list
monitor session 2 source interface range GigabitEthernet1/0/1 - 1/0/10 rx
monitor session 2 destination interface GigabitEthernet1/0/24 encapsulation replicateOnly ingress traffic from 10 ports is mirrored; output frames retain original VLAN tags for L2 analysis.
Disable a session temporarily
monitor session 1 shutdownStops mirroring without deleting the configuration – useful during maintenance without re-entering long source lists.
Error Codes
SPAN does not produce traditional exit codes. Errors surface as CLI rejection messages. Common errors:
| Error | Meaning | Operational Impact |
|---|---|---|
% Invalid input detected |
Unsupported source or duplicate session | Session not created; verify interface number and session number (1-65535). |
% This resource is already in use |
Destination port already assigned to another SPAN session | Each destination can only belong to one active session; use a different port. |
% No monitor session found |
Session number does not exist | Use show monitor session all to list configured sessions. |
Troubleshooting & Common Errors
| Issue | Root Cause | Resolution Command |
|---|---|---|
| No traffic seen on mirror destination | Session shut down or misconfigured direction | show monitor session 1 to verify state and source/direction |
| Mirror port drops packets under load | Destination port speed/duplex mismatch or insufficient bandwidth | Ensure destination port runs at ≥ source speed; use encapsulation replicate instead of dot1q when VLAN tags are not needed. |
| Cannot delete session | Session is active and in use | no monitor session 1 only works after shutdown; alternatively no monitor session 1 may still work – check version. |
Performance Considerations
Port mirroring (SPAN) is primarily a hardware function, but resource exhaustion can cause drops. To avoid performance degradation:
- Ensure the destination port has at least the same speed as the source port; oversubscribing a lower-speed destination leads to drops.
- Use
encapsulation replicateto avoid extra CPU overhead from VLAN tag rewriting. - Limit the number of mirrored source ports per session; each session consumes internal buffer resources. If error code EGSY appears (buffer overflow), simplify the source list or increase platform buffer allocation via
show monitor sessionto verify drop counts. - For high-volume flows, avoid mirroring to the switch CPU (
cpuas seen in some platforms); use a physical egress port for hardware forwarding.
Multi-Cloud Comparison
| Feature | Cisco SPAN | AWS VPC Traffic Mirroring | Azure VNet TAP | GCP Packet Mirroring |
|---|---|---|---|---|
| Source selection | Interface or VLAN | ENI (Elastic Network Interface) | VM NIC | VPC subnet or VM instance |
| Destination | Physical port | NLB or a second ENI | Network Virtual Appliance (NVA) | Internal TCP/UDP collector |
| Direction filter | rx/tx/both |
Ingress, egress, or both | Both (rx/tx not configurable) | Ingress, egress, or both |
| Packet modification | encapsulation replicate |
VXLAN encapsulation required | VXLAN with GRE | VXLAN encapsulation |
| Billing | No extra cost | Per GB mirrored | Per TAP session | Per GB mirrored |
Frequently Asked Questions
What is the difference between monitor session source interface and monitor session source vlan in Cisco SPAN?
Answer: source interface mirrors a single port; source vlan mirrors all traffic in that VLAN. Both support rx, tx, or both directions.
! Source interface example
monitor session 1 source interface GigabitEthernet1/0/1 both
! Source VLAN example
monitor session 1 source vlan 100 bothWhen should I use the encapsulation replicate flag in an ERSPAN destination on a Cisco router?
Answer: Use encapsulation replicate to preserve the original source MAC and VLAN tags in the GRE header; omit it to use the router’s own MAC. Essential for forensics tools expecting unmodified L2 headers.
! Enables MAC/VLAN replication
monitor session 1 type erspan-source
destination
ip address 10.1.1.2
encapsulation replicateHow do I fix a Cisco SPAN destination port that enters err-disabled state immediately after configuration?
Answer: Enable spanning-tree portfast trunk on the destination port and disable BPDU guard: no spanning-tree bpduguard enable. Then recover the port with shutdown / no shutdown before reconfiguring the SPAN session.
interface GigabitEthernet1/0/2
no shutdown
spanning-tree portfast trunk
no spanning-tree bpduguard enable
monitor session 1 destination interface Gi1/0/2Does ERSPAN work on AWS VPC Traffic Mirroring for multi‑cloud network analysis?
Answer: No. AWS uses VXLAN‑encapsulated traffic mirror sessions, not ERSPAN. For native ERSPAN, use physical Cisco devices or virtual routers (e.g., Cisco Cloud Services Router).
# AWS CLI example for traffic mirror session
aws ec2 create-traffic-mirror-session
--network-interface-id eni-0abcdef1234567890
--traffic-mirror-target-id tmt-0123456789abcdef0
--traffic-mirror-filter-id tmf-0123456789abcdef0
--session-number 1What is the fastest way to set up a local SPAN session on a Cisco Catalyst 9300 switch using a single port direction?
Answer: Execute two commands: monitor session 1 source interface Gi1/0/1 tx and monitor session 1 destination interface Gi1/0/2. Verify with show monitor session 1.
configure terminal
monitor session 1 source interface Gi1/0/1 tx
monitor session 1 destination interface Gi1/0/2
end
show monitor session 1
Command Line Expert & Software Engineer
Welcome! I’m Thomas Heinrich, a software engineer and system administrator with a deep passion for the Command Line Interface (CLI). With years of experience navigating the terminal, building backend architectures, and automating server deployments, I created this space to share practical, real-world terminal knowledge.
Whether you are a beginner taking your first steps in a Linux environment or a seasoned DevOps engineer looking to optimize your deployment scripts, you will find actionable solutions here. My goal is to help you ditch the mouse, speed up your workflow, and harness the full power of the command line.