Configuring AWS Port Mirroring
You can configure AWS mirroring to monitor traffic from a single mirrored port. You must configure the mirror port on AWS before you configure Stellar Cyber.
To configure AWS port mirroring:
-
Configure traffic mirroring on AWS . Take note of:
-
The VXLAN UDP port number (4789 is the default AWS port)
-
The VNI, which is the VXLAN ID
-
Limitations on the instance types supported for traffic mirroring.
When you configure AWS:
-
Keep the mirror source and target in the same VPC.
-
Per the AWS traffic mirroring instructions, you must create a traffic mirror filter with one or more traffic mirror rules to define the traffic to be mirrored. You cannot leave the traffic mirror filter empty.
-
When you create the Traffic Mirror Filter, do not choose any network services.
-
The Traffic Mirror Target must be Network Interface.
-
The Traffic Mirror Session target must be the data sensor interface.
-
The Traffic Mirror Session number must be 1.
-
Leave the Traffic Mirror Session Packet Length at the default value.
-
Do not mirror to an interface running DPDK.
-
Ensure that your configuration does not create a loop within AWS.
-
Do not mirror from a source host that sends traffic directly to a destination interface, as the data sensor might get duplicate traffic.
-
-
Log in to Stellar Cyber.
-
Go to System | Collection | Sensors. The Sensor List is displayed.
-
Click for the data sensor you want to send the traffic to. The Edit Data Sensor Parameters window is displayed.
-
Enable AWS Mirror. The additional fields are displayed.
-
Enter the Physical Ethernet Port index number. You can find this by using the
show vtep
command on the sensor. -
Enter the VXLAN UDP port number from AWS.
-
Enter the VNI, which is the VXLAN ID you configured in AWS.
-
Click Submit. The parameters are immediately updated.