Encapsulated Remote Switched Port Analyzer (ERSPAN) is a traffic mirroring method that enables the mirrored traffic to be encapsulated in Generic Routing Encapsulation (GRE). USM Anywhere supports ERSPAN on its Hyper-V Sensor and VMware Sensor, and although successful testing was only done on newer Cisco devices, it should work with other modern ERSPAN device manufacturers.

To enable ERSPAN in your Hyper-V or VMware Sensor

1. Open your virtualization management console and connect to the USM Anywhere Sensor virtual machine (VM).

   Alternatively, you can open an SSH session to the sensor VM. When using an SSH session, the default username is sysadmin.

2. From the system menu, select Network Configuration and press Enter.
3. Select Configure SPAN Interface and press Enter.
4. Select Enable SPAN Interface and press Enter.
5. Enter the IP address for this interface.

Note: ERSPAN must use your sensor's eth1 IP address for its interface. If your sensor's eth1 is already used by another resource, you must reconfigure that resource to use eth2 or eth3.

6. Select OK and press Enter.
7. Enter a netmask range for this configuration.

Important: When setting up this netmask, ensure that it does not conflict with the settings for eth0 and the admin interface netmask. If both interfaces are in the same subnet, AT&T Cybersecurity recommends that you use 255.255.255.255 for this netmask instead.

8. Select OK and press Enter.

9. After you receive confirmation that the ERSPAN interface has been enabled, refer to the Configuring ERSPAN section of the vendor website to continue the configuration.