In general, the OT traffic is not that much, where other traffic can be large volumes. The amount of traffic you send to the collector is relevant, not the size of the links. If you only use 1 or 2 Gpbs on the 10 Gbps link, there are collectors that can handle that.
What I meant with splitting out the VLANs, is if you want to just monitor your OT VLANs, put those on a separate interface on the controller (separate from other traffic, and separate from the incoming tunnel traffic), so you can mirror that port from your switch (or controller if you have spare ports, but I would prefer mirror from the switch) and just have the 'interesting traffic'.
In case you have a packet broker installed, you can leverage that to filter only the interesting traffic, and leave high bandwidth flows like file-backups out of what is sent to the collector to limit the volume.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jun 17, 2021 11:27 PM
From: Pradyut Mohapatra
Subject: OT Security
Hi Herman,
Its a large campus and the connectivity from core switch to controller is multiple 10G. Will it not impact the performance on the controller if I enabled mirror on the interfaces?
However I am concerned more about getting the data on the mirror port irrespective of whether I enabled on switch or controller. AFAIK the traffic is inside the GRE tunnel from access port of the switch upto comtroller interface so how taking mirror packet from eitherside would help ?
I could not understand fully when you mentioned creating separate VLAN in your mail. Can you elaborate it?
_________________________________________________________________________________________________________________________ Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration, Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci. This message and its attachments may contain confidential or privileged information that may be protected by law; they should not be distributed, used or copied without authorisation. If you have received this email in error, please notify the sender and delete this message and its attachments. As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified. Thank you.
Original Message:
Sent: 6/17/2021 11:11:00 AM
From: Herman Robers
Subject: RE: OT Security
I would indeed mirror at the controller, if you are tunneling the traffic anyway... but as at the port level, a port that does UBT looks exactly the same as a normal access port, I would not see why you can't port-mirror the traffic.
However, what you probably would want to do is put a mirror on the uplink of your switch, or on the downlink of your core/aggregation, it could be that you see GRE encapsulated traffic, and it may just be easier to mirror from the controller. To make your life easier, separate the vlan/port that holds the GRE tunneled traffic from the vlans that hold the client traffic on a different port so you can easily include only the client traffic and you don't need to filter out the tunnel traffic.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
Original Message:
Sent: Jun 13, 2021 03:05 PM
From: Ricardo Duarte
Subject: OT Security
Why don't you just mirror the controller port?
------------------------------
Ricardo Duarte
Original Message:
Sent: Jun 12, 2021 12:12 AM
From: Pradyut Mohapatra
Subject: OT Security
Hi, I want to implement Clearpass Device Insight or a competitive solution which relies on packets to be taken from access switches using port mirror feature. The customer has deployed Dynamic Segmentation in his network. Is it possible to enable port mirror on the switchport which are part of Dynamic segmentation PUTN. If yes, am i going to get meaningful information through the mirrored packets as the port is participating in PUTN tunnel ?
------------------------------
Pradyut Mohapatra
------------------------------