| title | Configure a monitoring interface using a Hyper-V vSwitch - Microsoft Defender for IoT |
|---|---|
| description | This article describes traffic mirroring with a Hyper-V vSwitch for OT monitoring with Microsoft Defender for IoT. |
| ms.date | 03/14/2024 |
| ms.topic | install-set-up-deploy |
This article is one in a series of articles describing the deployment path for OT monitoring with Microsoft Defender for IoT.
:::image type="content" source="../media/deployment-paths/progress-network-level-deployment.png" alt-text="Diagram of a progress bar with Network level deployment highlighted." border="false" lightbox="../media/deployment-paths/progress-network-level-deployment.png":::
This article describes how to use Promiscuous mode in a Hyper-V Vswitch environment as a workaround for configuring traffic mirroring, similar to a SPAN port. A SPAN port on your switch mirrors local traffic from interfaces on the switch to a different interface on the same switch.
For more information, see Traffic mirroring with virtual switches.
Before you start:
-
Make sure that you understand your plan for network monitoring with Defender for IoT, and the SPAN ports you want to configure.
For more information, see Traffic mirroring methods for OT monitoring.
-
Ensure that there's no instance of a virtual appliance running.
-
Make sure that you've enabled Ensure SPAN on your virtual switch's data port, and not the management port.
-
Ensure that the data port SPAN configuration isn't configured with an IP address.
New-VMSwitch -Name vSwitch_Span -NetAdapterName Ethernet -AllowManagementOS:$trueWhere:
| Parameter | Description |
|---|---|
| vSwitch_Span | Newly added SPAN virtual switch name |
| Ethernet | Physical adapter name |
Learn how to Create and configure a virtual switch with Hyper-V
-
Open the Virtual Switch Manager.
-
In the Virtual switches list, select New virtual network switch > External as the dedicated spanned network adapter type.
:::image type="content" source="../media/tutorial-install-components/new-virtual-network.png" alt-text="Screenshot of selecting new virtual network and external before creating the virtual switch.":::
-
Select Create Virtual Switch.
-
In the Connection type area, select External network and ensure that the Allow management operating system to share this network adapter option is selected. For example:
:::image type="content" source="../media/tutorial-install-components/external-network.png" alt-text="Screenshot of the External network option.":::
-
Select OK.
Use Windows PowerShell or Hyper-V Manager to attach a SPAN virtual interface to the virtual switch you created earlier.
If you use PowerShell, define the name of the newly added adapter hardware as Monitor. If you use Hyper-V Manager, the name of the newly added adapter hardware is set to Network Adapter.
-
Select the newly added SPAN virtual switch you created earlier, and run the following command to add a new network adapter:
ADD-VMNetworkAdapter -VMName VK-C1000V-LongRunning-650 -Name Monitor -SwitchName vSwitch_Span
-
Enable port mirroring for the selected interface as the span destination with the following command:
Get-VMNetworkAdapter -VMName VK-C1000V-LongRunning-650 | ? Name -eq Monitor | Set-VMNetworkAdapter -PortMirroring Destination
Where:
Parameter Description VK-C1000V-LongRunning-650 CPPM VA name vSwitch_Span Newly added SPAN virtual switch name Monitor Newly added adapter name -
When you're done, select OK.
-
Under the Hyper-V Manager's Hardware list, select Network Adapter.
-
In the Virtual switch field, select vSwitch_Span.
:::image type="content" source="../media/tutorial-install-components/vswitch-span.png" alt-text="Screenshot of selecting the following options on the virtual switch screen.":::
-
In the Hardware list, under the Network Adapter drop-down list, select Advanced Features. Under the Port Mirroring section, select Destination as the mirroring mode for the new virtual interface.
:::image type="content" source="../media/tutorial-install-components/destination.png" alt-text="Screenshot of the selections needed to configure mirroring mode.":::
-
Select OK.
Turn on support for Microsoft NDIS Capture Extensions for the virtual switch you created earlier.
To enable Microsoft NDIS capture extensions for your new virtual switch:
Enable-VMSwitchExtension -VMSwitchName vSwitch_Span -Name "Microsoft NDIS Capture"Turn on support for Microsoft NDIS Capture Extensions for the virtual switch you created earlier.
To enable Microsoft NDIS capture extensions for your new virtual switch:
-
Open the Virtual Switch Manager on the Hyper-V host.
-
In the Virtual Switches list, expand the virtual switch name
vSwitch_Spanand select Extensions. -
In the Switch Extensions field, select Microsoft NDIS Capture.
:::image type="content" source="../media/tutorial-install-components/microsoft-ndis.png" alt-text="Screenshot of enabling the Microsoft NDIS by selecting it from the switch extensions menu.":::
-
Select OK.
Configure the mirroring mode on the virtual switch you created earlier so that the external port is defined as the mirroring source. This includes configuring the Hyper-V virtual switch (vSwitch_Span) to forward any traffic that comes to the external source port to a virtual network adapter configured as the destination.
To set the virtual switch's external port as the source mirror mode, run:
$ExtPortFeature=Get-VMSystemSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings"
$ExtPortFeature.SettingData.MonitorMode=2
Add-VMSwitchExtensionPortFeature -ExternalPort -SwitchName vSwitch_Span -VMSwitchExtensionFeature $ExtPortFeatureWhere:
| Parameter | Description |
|---|---|
| vSwitch_Span | Name of the virtual switch you created earlier |
| MonitorMode=2 | Source |
| MonitorMode=1 | Destination |
| MonitorMode=0 | None |
To verify the monitoring mode status, run:
Get-VMSwitchExtensionPortFeature -FeatureName "Ethernet Switch Port Security Settings" -SwitchName vSwitch_Span -ExternalPort | select -ExpandProperty SettingData| Parameter | Description |
|---|---|
| vSwitch_Span | Newly added SPAN virtual switch name |
If the mirrored traffic is VLAN tagged, configure the Monitor adapter of the VM to accept traffic from the mirrored VLAN(s).
Use this PowerShell command to enable the Monitor adapter of the VM to accept the monitored traffic from different VLANs:
Set-VMNetworkAdapterVlan -VMName VK-C1000V-LongRunning-650 -VMNetworkAdapterName Monitor -Trunk -AllowedVlanIdList 1010-1020 -NativeVlanId 10Where:
| Parameter | Description |
|---|---|
| VK-C1000V-LongRunning-650 | CPPM VA name |
| 1010-1020 | VLAN range from which IoT traffic is mirrored |
| 10 | Native VLAN ID of the environment |
Learn more about the Set-VMNetworkAdapterVlan PowerShell cmdlet.
[!INCLUDE validate-traffic-mirroring]
[!div class="step-by-step"] « Onboard OT sensors to Defender for IoT
[!div class="step-by-step"] Provision OT sensors for cloud management »