Deploy an AWN201 10G Sensor with port mirroring

The AWN201 10G Sensor is an external network device that allows you to monitor network traffic. When the sensor is deployed with port mirroring, a switch sends a copy of all network packets that are seen on one port to another port.

This image provides a simplified network map of a sensor with mirroring deployment:

Before you begin

• Verify that you received the following items from Arctic Wolf:

  • AWN201 Sensor with 10G card

    Note: Your sensor has a tamper-evident asset ID: AWN-12XXXXXX. Contact security@arcticwolf.com if the asset ID is missing or was tampered with.

  • Three CAT6 RJ45 Ethernet cables, 2m

  • Crossover RJ45 Ethernet cable (red), 2m — Use only if needed

  • Two passive 10G Twinax cables with an SFP+ transceiver installed on each end, 2m — If 10G Twinax was ordered

  • Two LC-LC OM4 multi-mode fiber, duplex, jumper cables (aqua), 1m — If 10G Fiber was ordered

  • Two CAT6A Ethernet cables, 2m — If 10G Copper was ordered

  • Two SFP+ copper RJ45 30m optical transceiver modules — If 10G Copper was ordered

  • AC30 US power cord, 2m

  • Set of rack ears — Use only if needed

• Add all necessary IP addresses, ports, and services to your allowlist for full AWN201 10G Sensor functionality.

  Tip: To see the complete list of IP addresses that you must allowlist, go to the Arctic Wolf Unified Portal, and then click Help > Allowlist Requirements. The IP addresses that must be allowlisted are listed under Sensors.

• If you rate-limit the AWN201 10G Sensor with Quality of Service (QoS), remove this for best performance.

• If your firewall provides SSL/TLS inspection, do not perform this inspection on the AWN201 10G Sensor management IP address.

• If you are using an application proxy or layer 7 filter on your firewall, allow outbound traffic over OpenVPN for the AWN201 10G Sensor management IP address.

Steps

1. Set up a customer-configured appliance.
2. Install the hardware.
3. Connect the sensor for mirroring deployment.

Step 1: Set up a customer-configured appliance

See Set up a customer-configured appliance for additional information.

Step 2: Install the hardware

1. Install the sensor in the applicable rack location.

   If necessary, use the provided rack ears.

2. Using a CAT6 RJ45 Ethernet cable, connect the management port (port 7) on the sensor to the outbound connection on your network switch.

3. Using the AC30 US power cord, connect the power connector on the sensor to a power source.

4. Turn on the sensor power.

   The Power LED is green when the sensor power is on.

5. Ping the management IP address that you provided to Arctic Wolf to check network connectivity.

6. Wait 15 minutes, and then make sure the Status LED is green. This shows that the sensor is connected to the Arctic Wolf monitoring service.

7. If you cannot successfully complete these steps, email security@arcticwolf.com.

Step 3: Connect the sensor for mirroring deployment

1. Configure up to two 10G and seven 1G ports on your network switch as mirror ports.

   See the setup instructions provided by your network switch manufacturer for more information:

   • Cisco Catalyst 4500 Series switch
   • Cisco Meraki MS switch
   • Dell Networking Force10 switch
   • Juniper EX Series switch
   • Hewlett Packard Enterprise (HPE) ProCurve switch

2. Create a 10G mirror port connection. Using the appropriate cable for your sensor type, connect the LAN0 port on the sensor to a mirror port on your network switch:

   • 10G copper — CAT6A Ethernet cable.
   • 10G Twinax — Passive 10G Twinax cables with an SFP+ transceiver installed on each end.
   • 10G fiber — LC-LC short range multi-mode fiber cable.

3. (Optional) Create an additional 10G mirror port connection. Repeat the previous step using LAN1.

4. (Optional) Create one or more 1G mirror port connections. Using a CAT6 RJ45 Ethernet cable, connect any of the following ports on the sensor to a mirror port on your network switch:

   • Port 6 (LAN2)
   • Port 5 (LAN3)
   • Port 4 (LAN4)
   • Port 3 (LAN5)
   • Port 2 (LAN6)
   • Port 1 (LAN7)
   • Port 0 (LAN8)

5. If you are configuring optional layer 3 mirroring, email security@arcticwolf.com with the following information:

   • LAN<ID>, IP address, and netmask of the optional LAN interface.
   • TCP/IP port, if the default port (4789) is not used for a VXLAN environment.
   • Confirmation that the management IP address and LAN<ID> IP address are not on the same subnet.

   See Configure optional layer 3 mirroring for more information.

6. Email security@arcticwolf.com to confirm that Arctic Wolf is seeing your network traffic.

Configure optional layer 3 mirroring

You can configure optional layer 3 mirroring on the sensor to receive network traffic from a remote IP address to the AWN Sensor through LAN 1. This configuration allows a sensor to be deployed anywhere that supports Encapsulated Remote Switched Port Analyzer (ERSPAN).

This optional configuration requires assigning a static IP address to lan<ID> for a physical sensor or lan0 for a virtual sensor. The sensor does not support DHCP or DHCP reservation for the LAN IP address. Contact your Concierge Security Team® (CST) or security@arcticwolf.com to configure this option.

AWN201 10G Sensor components

Use these diagrams to identify the components of the AWN201 10G Sensor:

Front of sensor - 10G copper or 10G Twinax

Front of sensor - 10G fiber

Back of sensor

*This cable is not provided by Arctic Wolf.