Edit

Configure traffic mirroring with an encapsulated remote switched port analyzer (ERSPAN)

  • Article

This article is one in a series of articles describing the deployment path for OT monitoring with Microsoft Defender for IoT.

Diagram of a progress bar with Network level deployment highlighted.

This article provides high-level guidance for configuring traffic mirroring with ERSPAN. Specific implementation details vary depending on your equipment vendor.

We recommend using your receiving router as the generic routing encapsulation (GRE) tunnel destination.

Prerequisites

Before you start, make sure that you understand your plan for network monitoring with Defender for IoT, and the SPAN ports you want to configure.

For more information, see Traffic mirroring methods for OT monitoring.

Sample configuration on a Cisco switch

The following code shows a sample ifconfig output for ERSPAN configured on a Cisco switch:

monitor session 1 type erspan-source
description ERSPAN to D4IoT
erspan-id 32                              # required, # between 1-1023
vrf default                               # required
destination ip 172.1.2.3                  # IP address of destination
source interface port-channel1 both       # Port(s) to be sniffed
filter vlan 1                             # limit VLAN(s) (optional)
no shut                                   # enable

monitor erspan origin ip-address 172.1.2.1 global

For more information, see CLI command reference from OT network sensors.

Validate traffic mirroring

After configuring traffic mirroring, make an attempt to receive a sample of recorded traffic (PCAP file) from the switch SPAN or mirror port.

A sample PCAP file will help you:

  • Validate the switch configuration
  • Confirm that the traffic going through your switch is relevant for monitoring
  • Identify the bandwidth and an estimated number of devices detected by the switch

  1. Use a network protocol analyzer application, such as Wireshark, to record a sample PCAP file for a few minutes. For example, connect a laptop to a port where you've configured traffic monitoring.

  2. Check that Unicast packets are present in the recording traffic. Unicast traffic is traffic sent from address to another.

    If most of the traffic is ARP messages, your traffic mirroring configuration isn't correct.

  3. Verify that your OT protocols are present in the analyzed traffic.

    For example:

    Screenshot of Wireshark validation.

Configure ERSPAN on your OT network sensor

After deploying your sensor, make sure to configure ERSPAN settings on the Interface configurations page. For more information, see:

For example:

Screenshot of how to configure ERSPAN settings in the OT sensor settings.

Next steps

« Onboard OT sensors to Defender for IoT

Provision OT sensors for cloud management »