Hi

Yes I know you cannot have local SPAN and RSPAN sent to the same destination interface, trying that is also met with an error message. If you read my post you'll see that's not what I'm trying to do.

My receiving device only has one "sniffer" interface and thus I wish the 9300 to send local VLANs to a RSPAN in one session and then receive that RSPAN in another session and send it to an interface. This config isn't met with any error message but I don't see any traffic on the receiving device. Just for reference, this config works on the switch. But, of course, it only captures traffic local to the switch.

monitor session 1 source vlan 11 - 12 , 400 - 403 , 550 - 551 , 555 - 557 , 560 - 570

monitor session 1 destination interface Te1/0/26

OK @hoffa2000 

So, the issue you're facing stems from trying to use a single SPAN session to capture both local VLAN traffic and remote RSPAN traffic on the same destination interface...

While this cannot be done directly, the solution is to split the task into two separate SPAN sessions. In the first session, you'll configure local VLANs (like VLAN 11-12, 400-403, etc.) to be sent to a designated RSPAN VLAN (such as VLAN 999). In the second session, you capture traffic from the remote RSPAN VLAN (VLAN 999) and send it to your sniffer interface.

To implement this, Session 1 will forward the local VLAN traffic to the RSPAN VLAN, and Session 2 will capture that traffic from the RSPAN VLAN and send it to the sniffer interface. This configuration ensures you can collect traffic from both local VLANs and remote VLANs via RSPAN, without causing conflicts.

! Session 1: Capture local VLAN traffic and send to RSPAN VLAN 999
monitor session 1 source vlan 11-12, 400-403, 550-551, 555-557, 560-570
monitor session 1 destination remote vlan 999

! Session 2: Capture RSPAN VLAN 999 traffic on the sniffer interface
monitor session 2 source remote vlan 999
monitor session 2 destination interface Te1/0/26

This approach should resolve your issue by ensuring that local VLAN traffic is forwarded to an RSPAN VLAN in the first session, while the second session is dedicated to capturing that RSPAN traffic on your sniffer interface.

Please note that sometimes technical explanations might get a little bit mixed due to language borders, but I hope this clarifies the steps for you and configurations proposals can sometimes involve nuances in interpretation.

Hello M02@rt37 
looking at it you have two remote spans session (either switch) and then a additional session to mirror that traffic from from that RSPAN vlan to a physical port - elegant solution! -be interested if it works mate..

I just have something in my mind that local span cannot copy rspan and vice versa...maybe i getting confused 

It should be a clever workaround, and if it works, it adds flexibility to such configurations. Still, you're absolutely right to have some reservations, as network behavior often depends on subtle specifics of platform and firmware... I hope to test that today but impossible right now.

Theoretically, this setup adheres to the rules because you're not trying to merge local SPAN and RSPAN traffic into a single session, but rather chaining them logically through the RSPAN VLAN as an intermediary.

The part you're questioning—that local SPAN cannot copy RSPAN and vice versa—is indeed a valid concern if misunderstood. A local SPAN session directly targeting an RSPAN VLAN as a source or destination would not work because the mechanisms are distinct...

Hello M02@rt37 
i guess also being mindful of duplication for traffic between sources switched or routed - same traffic would be sent twice to the destination

If there are overlapping VLANs or routed traffic between the VLANs in the local SPAN and the RSPAN sessions, the same traffic may be mirrored twice—once in the local SPAN session and again in the RSPAN session. This can lead to duplicate packets being sent to the sniffer interface, which could skew monitoring results unless properly filtered or deduplicated.

Also, Depending on the volume of traffic being mirrored, this configuration could place a significant burden on the switch's resources. SPAN and RSPAN are not hardware-accelerated on many platforms and may impact performance, especially if mirroring high-traffic VLANs.

From what I've seen this design doesn't work. The receiving device isn't seeing any traffic from the local switch.

The monitor session 1 part is working. Traffic is seen from other switches but the monitor session 2 part is not working.

monitor session 1 source remote vlan 999
monitor session 1 destination interface Te1/0/26

monitor session 2 source vlan 11 - 12 , 400 - 403 , 550 - 551 , 555 - 557 , 560 - 570
monitor session 2 destination remote vlan 999