Configure traffic mirroring with a Remote SPAN (RSPAN) port
This article is one in a series of articles describing the deployment path for OT monitoring with Microsoft Defender for IoT.
This article describes a sample procedure for configuring RSPAN on a Cisco 2960 switch with 24 ports running IOS.
Important
This article is intended only as guidance and not as instructions. Mirror ports on other Cisco operating systems and other switch brands are configured differently. For more information, see your switch documentation.
Prerequisites
Before you start, make sure that you understand your plan for network monitoring with Defender for IoT, and the SPAN ports you want to configure.
For more information, see Traffic mirroring methods for OT monitoring.
RSPAN requires a specific VLAN to carry the monitored SPAN traffic between switches. Before you start, make sure that your switch supports RSPAN.
Make sure that the mirroring option on your switch is turned off.
Make sure that the remote VLAN is allowed on the trunked port between the source and destination switches.
Make sure that all switches connecting to the same RSPAN session are from the same vendor.
Make sure that the trunk port sharing the same remote VLAN between switches isn't already defined as a mirror session source port.
The remote VLAN increases the bandwidth on the trunked port by the amount of traffic being mirrored from the source session. Make sure that your switch's trunk port can support the increased bandwidth.
Caution
An increased bandwidth, whether due to large amounts of throughput or a large number of switches, can cause a switch to fail and therefore to bring down the entire network. When configuring traffic mirroring with RSPAN, make sure to consider the following:
- The number of access / distribution switches that you configure with RSPAN.
- The correlating throughput for the remote VLAN on each switch.
Configure the source switch
On your source switch:
Enter
global configuration
mode and create a new, dedicated VLAN.Identify your new VLAN as the RSPAN VLAN, and then return to
configure terminal
mode.Configure all 24 ports as session sources.
Configure the RSPAN VLAN to be the session destination.
Return to the privileged
EXEC
mode and verify the port mirroring configuration.
Configure the destination switch
On your destination switch:
Enter
global configuration
mode, and configure the RSPAN VLAN to be the session source.Configure physical port 24 to be the session destination.
Return to privileged
EXEC
mode and verify the port mirroring configuration.Save the configuration.
Validate traffic mirroring
After configuring traffic mirroring, make an attempt to receive a sample of recorded traffic (PCAP file) from the switch SPAN or mirror port.
A sample PCAP file will help you:
- Validate the switch configuration
- Confirm that the traffic going through your switch is relevant for monitoring
- Identify the bandwidth and an estimated number of devices detected by the switch
Use a network protocol analyzer application, such as Wireshark, to record a sample PCAP file for a few minutes. For example, connect a laptop to a port where you've configured traffic monitoring.
Check that Unicast packets are present in the recording traffic. Unicast traffic is traffic sent from address to another.
If most of the traffic is ARP messages, your traffic mirroring configuration isn't correct.
Verify that your OT protocols are present in the analyzed traffic.
For example: