Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

SPAN on 2950's

Unanswered Question
Mar 21st, 2003
User Badges:

I'm wanting to monitor incoming and outgoing traffic and am having some trouble.

Both the port needing to be monitored port(source) and the port w/ the sniffer on it(destination) are on the same vlan on a 2950-48. After reading up on SPAN and having done something similar on a 1900 and 2924 switch I configured SPAN with the following commands:

monitor session 1 source interface FastEthernet0/4

monitor session 1 destination interface FastEthernet0/7

Afterwards the sniffer on fa0/7 was down. Only after I read the below url


Did I find that destination SPAN ports can't forward normal traffic - so basically if you have a sniffer/traffic analizer on that port you loose the ability to communication w/ that device remotely.

Is it just me or is that totally unacceptable.........

On the trusty 2924 you'd just configure a monitor port like so..

conf t

inter fa0/7

port monitor FastEthernet0/4

then all traffic going in or out of fa0/4 would be forwarded to fa0/7 AND you'd be able to communicate with the device on fa0/7.

What happened that this isn't allowed anymore??? I need remote access to this traffic analizer while its doing its job. However I can't do that w/ my 2950-48 but I could do the job with the older 2924?

What gives??? This seems like a step backwards to me...

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
t.baranski Sat, 03/22/2003 - 14:46
User Badges:
  • Bronze, 100 points or more

While it's always good to have options, I'll note that it's generally best practice to put a sniffing interface in "stealth mode" (i.e., no IP address) and use a second interface on the sniffing device as the admin interface (with an IP address, connected to another port on the same switch). This prevents your TELNET/SSH/VNC/etc connection from being slowed down (or maybe stopped altogether) when the amount of traffic flowing through the SPAN port is high


This Discussion