USM Anywhere™

Configure USM Anywhere to Receive ERSPAN Traffic

Encapsulated Remote Switched Port Analyzer (ERSPAN) is a traffic mirroring method that enables the mirrored traffic to be encapsulated in Generic Routing Encapsulation (GRE). USM Anywhere supports ERSPAN on its Hyper-V Sensor and VMware Sensor, but it is only available for Cisco Nexus switches, newer Cisco Catalyst 6500s, Cisco Aggregation Services Router (ASR) routers, and other similar Cisco devices.

To enable ERSPAN in your Hyper-V or VMware Sensor

  1. Open your virtualization management console and connect to the USM Anywhere Sensor virtual machine (VM).

    Alternatively, you can open an SSH session to the sensor VM. When using an SSH session, the default username is sysadmin.

  2. From the system menu, select Network Configuration and press Enter.
  3. Select Configure ERSPAN Interface and press Enter.
  4. Enter the IP address for this interface.
  5. Note: ERSPAN must use your sensor's eth1 IP address for its interface. If your sensor's eth1 is already used by another resource, you must reconfigure that resource to use eth2 or eth3.

  6. Select OK and press Enter.
  7. Enter a netmask range for this configuration.
  8. Important: When setting up this netmask, ensure that it does not conflict with the settings for eth0 and the admin interface netmask. If both interfaces are in the same subnet, AT&T Cybersecurity recommends that you use for this netmask instead.

  9. Select OK and press Enter
  10. After you receive confirmation that the ERSPAN interface has been enabled, refer to the Configuring ERSPAN section of the vendor website to continue the configuration.

    Once your ERSPAN interface has been configured, remember to restart your USM Anywhere Sensor.