AWN1000 10G Sensor - Mirroring DeploymentUpdated Nov 13, 2023
You can deploy an AWN1000 10G Sensor with port mirroring.
The AWN1000 10G Sensor is an external network device that allows you to monitor network traffic. When the sensor is deployed with port mirroring, a switch sends a copy of all network packets that are seen on one port to another port.
This image provides a simplified network map of a sensor with mirroring deployment:
|A||AWN1000 10G Sensor with mirroring deployment|
|B||Management port network connection|
Verify that these items are in the box from Arctic Wolf®:
An AWN1000 Sensor with 10G card
Note: Your sensor has a tamper-evident asset ID: AWN-12XXXXXX. Contact your Concierge Security® Team at email@example.com if the asset ID is missing or was tampered with.
Three CAT6 RJ45 Ethernet cables, 2m
A crossover RJ45 Ethernet cable (red), 2m - Use only if needed
Two passive 10G Twinax cables with an SFP+ transceiver installed on each end, 2m — If 10G Twinax was ordered
Two LC-LC OM4 multi-mode fiber, duplex, jumper cables (aqua), 1m — If 10G Fiber was ordered
Two CAT6A Ethernet cables, 2m — If 10G Copper was ordered
Two SFP+ copper RJ45 30m optical transceiver modules — If 10G Copper was ordered
Two AC30 US power cords, 2m
A set of rack ears - Use only if needed
A set of rack rails
Add all necessary IP addresses, ports, and services to your allowlist for full AWN1000 10G Sensor functionality.
Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Sensors.
If you rate-limit the AWN1000 10G Sensor with Quality of Service (QoS), remove this for best performance.
If your firewall provides SSL/TLS inspection, do not perform this inspection on the AWN1000 10G Sensor management IP address.
If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the AWN1000 10G Sensor management IP address.
- Set up a customer-configured appliance.
- Install the hardware.
- Connect the sensor for mirroring deployment.
Note: This step only applies if you selected customer-configured appliance on your onboarding form.
See Set up a customer-configured appliance for more information.
Install the sensor in the applicable rack location.
If needed, use the provided rack ears or rails.
Using a CAT6 RJ45 Ethernet cable, connect the management port on the sensor to the outbound connection on your network switch.
Using the two AC30 US power cords, connect the power connectors on the sensor to a power source.
Turn on the sensor power.
The power LED is green when the sensor power is on.
Ping the management IP address that you provided to Arctic Wolf to check network connectivity.
Make sure the sensor is connected to the Arctic Wolf monitoring service:
Install the drivers for your sensor.
See Console session drivers for all other appliances for more information.
Connect to the serial console.
See Connect to the serial console for more information.
View the sensor connectivity status.
See View the current configuration and connectivity status for more information.
If you cannot successfully complete these steps, contact your CST at firstname.lastname@example.org.
Configure up to four 10G and eight 1G ports as mirror ports on your switch.
See the configuration instructions provided by your network switch manufacturer for more information:
- Cisco Catalyst 4500 Series switch
- Cisco Meraki MS switch
- Dell Networking Force10 switch
- Juniper EX Series switch
- Hewlett Packard Enterprise (HPE) ProCurve switch
Note: You can configure four 10G mirror ports and eight 1G mirror ports, but the aggregate throughput of all ports cannot exceed 10G.
Create a 10G mirror port connection. Using the appropriate cable and port for your sensor type, connect LAN0 on the sensor to a mirror port on your network switch:
- 10G copper — Use a CAT6A Ethernet cable.
- 10G Twinax — Use a passive 10G Twinax cables with an SFP+ transceiver installed on each end.
- 10G fiber — Use an LC-LC short range multi-mode fiber cable.
(Optional) Create an additional 10G mirror port connection. Repeat the previous step with port LAN1, LAN2, or LAN3.
(Optional) Create 1G mirror port connections. Using a CAT6 RJ45 Ethernet cable, connect any of these ports on the sensor to a mirror port on your network switch:
Note: When connecting multiple RJ45 mirroring interfaces from the same switch to a sensor, make sure that the mirroring interfaces do not connect to the same bridge pair.
The bridge pairs for this sensor are LAN4 and LAN5, LAN6 and LAN7, LAN8 and LAN9, LAN10 and LAN11.
If you are configuring optional layer 3 mirroring, contact your CST at email@example.com. Include this information:
LAN<ID>, IP address, and netmask of the optional LAN interface.
- TCP/IP port, if the default port (4789) is not used for a VXLAN environment.
- Confirmation that the management IP address and
LAN<ID>IP address are not on the same subnet.
Contact your CST at firstname.lastname@example.org to confirm that Arctic Wolf is seeing your network traffic.
You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).
Note: For physical sensors, the management port IP address and
lan<ID> IP address cannot be on the same subnet.
This optional configuration requires assigning a static IP address to
lan<ID> for a physical sensor or
lan0 for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your CST at email@example.com to configure this option.
Use these diagrams to identify the components of the AWN1000 10G Sensor:
Tip: Orange callouts show mandatory connections.
Front of sensor - 10G Twinax
Front of sensor - 10G copper
This sensor has four SFP+ RJ45 10GB Copper 30m transceivers preinstalled.
Front of sensor - 10G fiber
This sensor has four multimode SR optical transceivers preinstalled.
Back of sensor
|Callout||Sensor component||Port configuration||Cable used||Connected to|
|A||Console port (RJ45)||-||-||-|
|B||Port 1: LAN0||10G mirror||
|C||Port 3: LAN1||10G mirror||
||(Optional) Network switch|
|D||Management port||-||CAT6 RJ45 Ethernet cable||Network switch|
|E||LAN4||1G mirror||CAT6 RJ45 Ethernet cable||(Optional) Network switch|
|F||LAN5||1G mirror||CAT6 RJ45 Ethernet cable||(Optional) Network switch|
|G||LAN6||1G mirror||CAT6 RJ45 Ethernet cable*||(Optional) Network switch|
|H||LAN7||1G mirror||CAT6 RJ45 Ethernet cable*||(Optional) Network switch|
|K||HDD activity LED||-||-||-|
|M||USB 3.0 port (1 of 2)||-||-||-|
|N||Port 2: LAN2||10G mirror||
||(Optional) Network switch|
|O||Port 4: LAN3||10G mirror||
||(Optional) Network switch|
|P||Console port (mini USB)||-||-||-|
|Q||LAN8||1G mirror||CAT6 RJ45 Ethernet cable*||(Optional) Network switch|
|R||LAN9||1G mirror||CAT6 RJ45 Ethernet cable*||(Optional) Network switch|
|S||LAN10||1G mirror||CAT6 RJ45 Ethernet cable*||(Optional) Network switch|
|T||LAN11||1G mirror||CAT6 RJ45 Ethernet cable*||(Optional) Network switch|
|W||Alarm mute button||-||-||-|
|Y||Power connector||-||AC30 US power cord||Power source|
|Z||Power connector||-||AC30 US power cord||Power source|
*This cable is not provided by Arctic Wolf.