We have a 3550XL switch with software version 12.1(22) and the gigabit interface is a VLAN trunk to the core switch. All ports on this switch are in the same VLAN (VLAN 100) including the destination (monitoring) port. I would like to monitor all the traffic from all the ports on this switch or on the VLAN not really sure which. After reading the article below on SPAN I'm confused as to which commands I should use in order to monitor the traffic on all the ports or just the VLAN; the destination port is port f0/35. If it makes a difference I'm not interested in the tagging information.

I greatly appreciate any assistance with which commands I should use to accomplish the monitoring.

Jeff

http://www.cisco.com/en/US/docs/switches/lan/catalyst3550/software/release/12.1_19_ea1/configuration/guide/swspan.html#wp1078789

luismg, thanks for the help as that was the solution especially with the 'rx' variable as testing with new switches they support the 'both' variable and this one did not.

Jeff

Either using tx or rx will have the same result because a vlan is a software interface, I tried wireshark and is the same, it considers all traffic same send and receive.

Kind regards

luismg, thanks for the help.

jeff

Don´t forget that there is a diference in RX and TX.
RX has the following beahvior:

"For Receive (RX) SPAN, the goal is to deliver all traffic received to the SPAN destination. As
a result, each frame to be transported across a SPAN connection is copied and sent before any
modification (for example, VACL or ACL filtering, QoS modification, or even ingress or
egress policing).
For Transmit (TX) SPAN, all relevant filtering or modification by ACLs, VACLs, QoS, or
policing actions are taken before the switch forwards the traffic to the SPAN/RSPAN
destination. As a result, not all transmit traffic necessarily makes it to a SPAN destination.
Also, the frames that are delivered do not necessarily match the original frames exactly,
depending on policies applied before they are forwarded to the SPAN destination."
In Cisco Press CCIE R&S Exam Certification Study guide v.4

So if you want to monitor the traffic before modification, such as QOS, ACLs, etc, configure for RX.
If you want to monitor the layer 2 frames, such as DTP, VTP, BPDUs, PagP, use the command (encapsulation replicate).
For example a configuration of SPAN where you monitor the traffic:
- received in fa0/1
- sent on fa0/12
- sent and received in fa0/13 (trunk mode, default to both rx and tx)
- filter vlan 1,2,3,4,5,6 and 110
- destination fa0/24 and mantaining the encapsulation from the interfaces.

sw3# config term
sw3(config)# monitor session 1 source interface fa0/1 rx
sw3(config)# monitor session 1 source interface fa0/12 tx
sw3(config)# monitor session 1 source interface fa0/13
sw3(config)# monitor session 1 filter vlan 1 - 6 , 110
sw3(config)# monitor session 1 destination interface fa0/24 encapsulation replicate

For your example configure for the Vlan 100, because every port that you add or remove will be monitored or not. Don´t forget that various ports being monitored can overload your monitored port. Take care if you think to make RSPAN with a fastethernet trunk. Some commands differ from IOS versions and Switchs.

Cheers