USM Anywhere™

Configure USM Anywhere to Receive ERSPAN Traffic

Encapsulated Remote Switched Port Analyzer (ERSPAN) is a traffic mirroring method that enables the mirrored traffic to be encapsulated in Generic Routing Encapsulation (GRE).

ERSPAN is only available on Cisco Nexus switches, newer Cisco Catalyst 6500s, Cisco Aggregation Services Router (ASR) routers, and other similar Cisco devices.

To enable an ERSPAN interface in your USM Anywhere Sensor

  1. Open your virtualization management console and connect to the USM Anywhere Sensor Virtual Machine (VM).

    Alternatively, you can open an SSH session to the sensor VM. When using an SSH session, the default username is sysadmin.

    Important: If you are accessing a Microsoft Azure Sensor through SSH and you specified a username other than the default (sysadmin) for SSH access for the sensor VM, you must use the following commands at the command line to "sudo up" and access the sensor console:

    # sudo su –
    # su sysadmin

  2. From the System Menu, select Network Configuration and press Enter.
  3. Click Configure ERSPAN Interface.
  4. Enter the IP address for this interface.
  5. ERSPAN must use your sensor's eth1 IP address for its interface. If your sensor's eth1 is already used by another resource, you must reconfigure that resource to use eth2 or eth3.
  6. Click OK.
  7. Enter a netmask range for this configuration.
  8. When setting up this netmask, ensure that it does not conflict with the settings for eth0 and the admin interface netmask. If both interfaces are in the same subnet, AT&T Cybersecurity recommends that you use for this netmask instead.
  9. Click OK.
  10. Once you receive confirmation that the ERSPAN interface has been enabled, refer to the Configuring ERSPAN section of the vendor website to continue the configuration.

    Once your ERSPAN interface has been configured, remember to restart your USM Anywhere Sensor.