How to Extend Local Span Through Multiple Intermediate Switches to a Sniffer That is Multiple Switch Hops Away Without Using RSPAN.

Chart Description automatically generated

  1. Connect one additional switch in the network that supports the local span configuration.
  2. Do a local span on the access layer switches.

    E.g.: config on S31 Switch:

    monitor session 1 source vlan 71 - 72 both

    monitor session 1 destination interface Gi1/0/33

  3. Connect span ports of access layer switches to the additional switch.
  4. Choose vlan’s that are not used in the network & configure on the additional switch.

    E.g.: config on the additional switch:

    Interface Gi1/0/1

    Switchport access vlan 81

    Switchport mode access

    Spanning-tree bpdufilter enable 

    Interface Gi1/0/2

    Switchport access vlan 82

    Switchport mode access

    Spanning-tree bpdufilter enable

  5. Do a local span on the additional switch.

    E.g.:

    monitor session 1 source interface Gi1/0/1 – 4 both

    monitor session 1 destination interface Gi1/0/5

    Or 

    monitor session 1 source vlan 81-84 rx 

    monitor session 1 destination interface Gi1/0/5 

  6. Connect the span port of the additional switch to the NPS sniffing interface.

This technique can be used to pass through multiple intermediate switches, with each switch configured similarly to the extra switch introduced in this diagram.
This mechanism of chaining multiple switches with local spans can terminate into a switch that supports RSPAN, and from there onwards, the RSPAN documentation can be used to bring the span traffic to PS.

 

 

© 2026 Qualys, Inc. All rights reserved. Privacy Policy. Last updated: March, 2026