Configure traffic mirroring with an encapsulated remote switched port analyzer (ERSPAN)
This article is one in a series of articles describing the deployment path for OT monitoring with Microsoft Defender for IoT.
This article provides high-level guidance for configuring traffic mirroring with ERSPAN. Specific implementation details vary depending on your equipment vendor.
We recommend using your receiving router as the generic routing encapsulation (GRE) tunnel destination.
Before you start, make sure that you understand your plan for network monitoring with Defender for IoT, and the SPAN ports you want to configure.
For more information, see Traffic mirroring methods for OT monitoring.
Sample configuration on a Cisco switch
The following code shows a sample
ifconfig output for ERSPAN configured on a Cisco switch:
monitor session 1 type erspan-source description ERSPAN to D4IoT erspan-id 32 # required, # between 1-1023 vrf default # required destination ip 220.127.116.11 # IP address of destination source interface port-channel1 both # Port(s) to be sniffed filter vlan 1 # limit VLAN(s) (optional) no shut # enable monitor erspan origin ip-address 18.104.22.168 global
For more information, see CLI command reference from OT network sensors.
Validate traffic mirroring
After configuring traffic mirroring, make an attempt to receive a sample of recorded traffic (PCAP file) from the switch SPAN or mirror port.
A sample PCAP file sample will help you:
- Validate the switch configuration
- Confirm that the traffic going through your switch is relevant for monitoring
- Identify the bandwidth and an estimated number of devices detected by the switch
Use a network protocol analyzer application, such as Wireshark, to record a sample PCAP file for a few minutes. For example, connect a laptop to a port where you've configured traffic monitoring.
Check that Unicast packets are present in the recording traffic. Unicast traffic is traffic sent from address to another.
If most of the traffic is ARP messages, your traffic mirroring configuration isn't correct.
Verify that your OT protocols are present in the analyzed traffic.
Configure ERSPAN on your OT network sensor
After deploying your sensor, make sure to configure ERSPAN settings on the Interface configurations page. For more information, see:
- In the deployment wizard GUI: Define the interfaces you want to monitor
- In the OT sensor system settings: Update a sensor's monitoring interfaces (configure ERSPAN)