Can a span/mirror port be configured to transmit and receive data?

Posted on 2012-08-24
Last Modified: 2012-08-26
Websense documentation mentions that only one port needs to be used on their appliance if the premise switch supports bidirectional spanning. That way monitoring and blocking can both be done on the same interface.

Are there switches that allow a port to be the destination port of a span/mirror and still send/xmit data?

I don't think Cisco will but I have found conflicting statements on the web:

"The Catalyst 2950 and 3550 Switches can forward traffic on a destination SPAN port in Cisco IOS Software Release 12.1(13)EA1 and later."

"When you configure a switch port as a SPAN destination port, it is no longer a normal switch port; only monitored traffic passes through the SPAN destination port. "

If Cisco does not support this feature are there any other brands that do?
Question by:Dragon0x40
    LVL 38

    Assisted Solution

    by:Rich Rumble
    Depends on the switch, but by default you need "inpkts enable" to enable the span port to send/recieve as a normal port. But this only works if you have an IP set on the device that is listening to the span port.

    Author Comment

    thanks Rich, after searching for "inpkts enable" it seems that is the correct command to enable inbound packets with the legacy CAT OS but the newer Cisco IOS uses the "ingress vlan x" command. The Websense appliance would be connected to the destination port to examine all traffic and need an IP address configured and would also be used to send tcp resets into the destination span port.

    SPAN with INGRESS associated with the destination command.  (EG,  monitor session 1 dst int fa0/24 ingress Vlan 146)

          When Cisco DOCs say this "If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2."   I say what is that reason for allowing this?   I read small blurb about letting a security device send a TCP Reset to a received/sensed attack

    maybe "ingress vlan X" is the command that I am looking for?

    Switch(config)# monitor session 1 destination interface fastethernet 5/48
    encapsulation dot1q ingress vlan 7
    With this configuration, traffic from SPAN sources associated with session 1 would be copied out of interface Fast Ethernet 5/48, with 802.1q encapsulation. Incoming traffic would be accepted and switched, with untagged packets being classified into VLAN 7.
    LVL 38

    Accepted Solution

    Yes, that is correct, I was not sure what equipment you had.

    monitor session 1 source vlan 7 rx
    monitor session 1 destination int fa5/48 ingress vlan 7

    I don't recall (and I don't have it configured) using encapsulation, I use several different vendors and equipment that send rst packets (WAF/IPS)
    LVL 16

    Assisted Solution

    by:Aaron Street
    Yes while you can't have a standard communication over a span port, you can allow the monitoring station to send data to the network (ingress)

    As you have mentioned the reason for this is so the monitoring station can react to the data it is monitoring .

    For example if you have something like a Websence device inspecting the traffic on the span port looking at the HTTP / HTTPS traffic and looking for webpages such as Porn or Gambling, when it sees one it needs a way to block the traffic.

    AS it is not inline it cant directly block the traffic, so what it does is send a TCP reset packet to both ends of the connection. What this does it causes both end stations to close the open connections so breaks the link. It is basically a denial of service attack agisnt the end stations but in this case a controlled one.

    So in short, You can send in to the network from a monitored port (if configured) but you can't set up a session between the monitoring stations and other devices. For management of the monitoring station you need a second connection in to the network over a standard network port.

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Looking for New Ways to Advertise?

    Engage with tech pros in our community with native advertising, as a Vendor Expert, and more.

    This is an article about my experiences with remote access to my clients (so that I may serve them) and eventually to my home office system via Radmin Remote Control. I have been using remote access for over 10 years and have been improving my metho…
    If your business is like most, chances are you still need to maintain a fax infrastructure for your staff. It’s hard to believe that a communication technology that was thriving in the mid-80s could still be an essential part of your team’s modern I…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor ( If you're looking for how to monitor bandwidth using netflow or packet s…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now