SPAN destination port with ingress keyword

Hi guys,

I am having a hard time to fully understand the concept of "ingress traffic forwarding" on span destination ports. After quiet some searching I have found the following:


"Destination port characteristics:
• When it is active, incoming traffic is disabled. The port does not transmit any traffic except that  required for the SPAN session. Incoming traffic is never learned or forwarded on a destination port.
• If ingress traffic forwarding is enabled for a network security device, the destination port forwards traffic at Layer 2."


Question: Does that mean that the destination port will act as any other L2 port (trunk or access) while also receiving the mirrored traffic from the SPAN source ?

If this is the case I am wondering, what happens when the SPAN source is vlan X and the span desitnation interface has ingress traffic forwarding enabled and it is acting as an access port on vlan X !

I am also wondering what Cisco means when saying above "ingress traffic forwarding is enabled for a network security device". Are they maybe referring to some common behaviour of such devices where traffic is not sent bidirectionally or something ?


I really appreciate any help here since i am kind of stuck on this topic  ...


  • Hi,

       1. All configurations done on a SPAN destination port are ignored.

       2. By default, no incoming traffic is allowed from a SPAN destination port and makes complete sense, if you think about network taps; however, if you have a smarter device that can send TCP resets, like an IPS, you can configure the switch to allow inbound traffic, tagged or untagged and tell it to which VLAN to associate the untagged traffic.



  • Hi Cristian,

    Thanks a lot.That was my understanding as well but i had my doubts..
    But basically this mean that i can have any type of device - not necessarily a security device that behaves the way you described.. right? I could for example have a server that i am using for sniffing/monitoring traffic but via that same link i can actually connect it to the network (eg. vlan 20) with the below config and have it communicating with other devices on the same Vlan bidirectionally..

    monitor session 1 source vlan 10
    monitor session 1 destination interface Fa0/5 ingress dot1q vlan 20

    Question: Can you confirm?


    monitor session 1 source vlan 10
    monitor session 1 destination interface Fa0/5 ingress dot1q vlan 10

    Question: I guess the parser will not prevent someone from pasting in the config above but it will result in frames getting looped I guess.. right? If my understanding is correct, then we should be sure we place devices connecting in such destination ports to a different vlan than the one the SPAN session is monitoring (if it is monitoring a vlan).


Sign In or Register to comment.