Switched Port Analyzer (SPAN) is a feature that allows traffic to be replicated to a port from a specified source. The traffic to be replicated can be from physical ports, virtual ports, or VLANs, but you cannot mix source types within a single SPAN session. The most common reason for SPAN to be employed is for packet capture. If you need to capture the traffic on VLAN 10, for example, you can't just plug a sniffer on a port in that VLAN, as the switch will only forward packets destined for the sniffer. However, enabling SPAN with the VLAN as the source, and the sniffer's port as the destination, will cause all traffic on the VLAN to be sent to the sniffer. SPAN is also commonly deployed when Intrusion Detection Systems (IDSs) are added to a network. IDS devices need to read all packets in one or more VLANs, and SPAN can be used to get the packets to the IDS devices.

Using Remote Switched Port Analyzer (RSPAN), you can even send packets to another switch. RSPAN can be useful in data centers where a packet-capture device is permanently installed on one of many interconnected switches. With RSPAN, you can capture packets on switches other than the one with the sniffer attached. (RSPAN configuration details are provided later in this section.)

SPAN is configured with the monitor command. You can have more than one SPAN session, each identified with a session number:

3750(config)#monitor session 1 ? destination SPAN destination interface or VLAN filter SPAN filter source SPAN source ...