Cisco Stealthwatch Learning Network License UCS E … ·...
Transcript of Cisco Stealthwatch Learning Network License UCS E … ·...
Cisco Stealthwatch Learning Network License UCS E-Series ServerQuick Start Guide, Version 1.1
Cisco Stealthwatch Learning Network License Quick Start Guide 2
Learning Network License Introduction 2
Installing the Learning Network License System 2
Installation Prerequisites 3
Controller Deployment 17
NTP Configuration 29
NetFlow Configuration 30
Agent Deployment to a UCS E-Series Blade Server 33
Agent Configuration Overview 36
Controller and Agent Communications Overview 40
Initial Learning Phase Overview 48
Next Steps 49
For Assistance 49
Revised: November 23, 2016,
Cisco Stealthwatch Learning Network License Quick StartGuideThe following details essential information on deploying and configuring your Cisco Stealthwatch Learning Network License system.
Learning Network License IntroductionThe Learning Network License system is a hyper-distributed analytics architecture that inspects your network traffic and appliesmachine learning algorithms to perform a behavioral analysis. As a result, the system can identify anomalous behavior, such asmalware, distributed botnets, data exfiltration, and more.
You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies in real-time to the controllerfor additional system and user analysis. Based on the anomalies, you can provide relevance feedback, which the system incorporatesinto internal traffic models. This allows the system to better identify and report anomalies of interest.
You can also configure mitigations based on anomaly properties, such as hosts involved and application traffic transferred. Thesemitigations reduce or eliminate the impact of detected anomalies now and in the future. The combination of behavioral analysis, userfeedback, and traffic mitigation customizes the system to address the threats specific to your network and better protect your users.
Installing the Learning Network License SystemThe following provides a high-level overview to installing the Learning Network License system.
Procedure
Step 1 Ensure your ISRs support installing the Learning Network License system, have the proper licenses, and have installed aUCS E-Series blade server running an ESXi host. See Installation Prerequisites, on page 3 for more information.
Step 2 Deploy a separate ESXi host to run the controller. See Controller Host Requirements, on page 6 for more information.Step 3 Download the agent and controller OVA files at http://www.cisco.com/c/en/us/support/security/
stealthwatch-learning-network-license/tsd-products-support-series-home.html. See Downloading the OVA Files fromCisco, on page 16 for more information.
Step 4 Deploy the controller to the ESXi host using vSphere Client. Power on the virtual machine, and log into the controller VMconsole using the default administrator username (sln) and default administrator password (cisco). See ControllerDeployment, on page 17 for more information.
Step 5 Run the setup-system setup script from the controller command line. Follow the script prompts to configure the networkconnection, NTP servers, and generate public key certificates. Verify your NTP configuration from the controller VM
2
console. See Configuring the Controller with the Setup Script, on page 26 and Verifying NTP Configuration on theController, on page 29 for more information.
Step 6 Update the sca.conf controller configuration file to configure public key certificate management settings, then restart thecontroller processes. See Updating the Controller Configuration, on page 43 and Restarting Controller Processes, onpage 44 for more information.
Step 7 Configure NTP servers and Flexible NetFlow on your ISR. See NTPConfiguration, on page 29 and Configuring NetFlow,on page 32 for more information.
Step 8 Configure additional virtual switches on the UCS E-Series blade server ESXi host, using the vmnic0 and vmnic1 physicaladaptors. See Configuring Virtual Switches, on page 33 for more information.
Step 9 Verify your UCS E-Series blade server configuration. See UCS E-Series Blade Server Deployment, on page 34for moreinformation.
Step 10 Deploy the agent to an ISR running a UCS E-Series blade server with an ESXi host. See Deploying the OVA File, onpage 35 for more information.
Step 11 Log into the agent VM console and configure network settings. See Configuring an Agent with the Setup Script, on page36 for more information.
Step 12 Run the agent administrator script to manage public key certificate trust settings, then restart the agent's processes. SeeAgent Administrator Settings, on page 41 for more information.
Step 13 Run the controller administrator script to trust the agent public key certificates. See Controller Certificate Management,on page 43 for more information.
Step 14 Log into the controller web UI with your administrator credentials. Register your controller with Smart Licensing. Fromthe controller VM console, restart the controller's processes. See Registering the Controller Instance, on page 45 andRestarting the Controller Processes, on page 46 for more information.
Step 15 Log into the controller web UI, then manage and configure your agents with the controller as described in ControllerManagement of Agents, on page 46.
Step 16 Allow the system an initial learning phase to create a baseline model of your network traffic. See Initial Learning PhaseOverview, on page 48 for more information.
Installation PrerequisitesWhen you deploy the Learning Network License system, obtain or configure the following:
• open ports for system functionality
• an ESXi host for the controller
• an ISR with a UCS E-Series blade server to run the agent
• the proper licensing for your ISR
• the controller and agent OVA files
Communication PortsLearning Network License requires several open ports for functionality, to allow communication between the controller and agents,and to allow users to access the controller UI. If a firewall or other security appliance sits between the controller and agents, orbetween the user and the controller, open these ports.
3
The following diagram illustrates this system functionality.
Figure 1: System Functionality Requiring Open Ports
• Users, such as system administrators, can log into the controller web UI, and SSH login to agents.
• The controller sends information, such as mitigations, to the agent, and contacts NTP servers to synchronize time.
• The agent sends information, such as anomalies, log files, configuration files, and PCAP files, to the controller, and contactsNTP servers to synchronize time.
The following diagram illustrates the open ports and directionality. See Table 1: Default Communication Ports for Learning NetworkLicense Features and Operation, on page 5 for more information on these ports.
Figure 2: Open Ports for System Functionality
4
Table 1: Default Communication Ports for Learning Network License Features and Operation
To...Is Open for any...DirectionDescriptionPort
transfer log files andconfiguration files
IP associated with thecontroller,ManagementIP associated with theagent
outbound from agenteth0 interfaceManagement IP,inbound to controller IP
SSH/SCP22/TCP
optionally enableremote access to theagent shell
host IP that wants toSSH login to the agent
outbound from host IP,inbound to agent eth0interface ManagementIP
SSH22/TCP
optionally enable SSHlogin to the controller
host IP that wants toSSH login to thecontroller
inbound from host IP tocontroller IP
SSH22/TCP
synchronize timeIP associated with thecontroller
outbound from thecontroller IP to anexternal NTP server
NTP123/UDP
synchronize timeIP associated with theagent
outbound from an agenteth0 interfaceManagement IP whendeployed to a UCSE-Series blade server
NTP123/UDP
access the controller UIhost IP that wants toaccess the controller UI
inbound from user IP tocontroller IP
HTTPS443/TCP
allow the controller tocommunicate with theagent
IP associated with thecontroller
outbound fromcontroller IP to agenteth0 interfaceManagement IP
TLS9091/TCP
enable PBCIP associated with thecontroller
outbound fromcontroller IP to agenteth0 interfaceManagement IP
packet buffer capture(PBC)
9092/TCP
Learning Network License and LicensingTo properly deploy your Learning Network License system, you must obtain the proper IOS Licenses for your ISRs, as well as theproper Smart Licenses for Learning Network License.
To run an agent on an ISR, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) or App (appxk9) IOS license.See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating thelicenses.
5
You must also obtain the appropriate Smart License entitlement for each controller and agent you deploy.
Table 2: Smart License Entitlement Types
Associated File Downloads andDescription
License Entitlement and DescriptionLearning Network License Component
sln-sca-k9-<ver>.ova - singlecontroller OVA
L-SW-SCA-K9 - SCA Virtual Managercontroller
sln-dla-ucse-k9-<ver>.ova - agentdeployed to a UCS E-Series blade server
L-SW-LN-UCS-1Y-K9 - Cisco StealthwatchLearning Network License for UCSSeries 1 Yr Term
agent installed on a UCS E-Series bladeserver
sln-dla-ucse-k9-<ver>.ova - agentdeployed to a UCS E-Series blade server
L-SW-LN-UCS-3Y-K9 - Cisco StealthwatchLearning Network License for UCSSeries 3 Yr Term
agent installed on a UCS E-Series bladeserver
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.
In addition, you must generate a registration token in the Cisco Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html), then use this to register your controller. Each time you manage and enable an agent with thecontroller, the controller automatically requests a license entitlement for the agent.
For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager User Guide.
Controller Host RequirementsYou can host a controller virtual appliance on a VMware ESXi Version 5.5 hosting environment. You can also enable VMware toolson all supported ESXi versions. For information on the full functionality of VMware Tools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see the VMware ESXi documentation.
Virtual appliances use Open Virtual Format (OVF) packaging. Cisco provides the controller and agent virtual appliances in OpenVirtual Appliance (OVA) format, an archive version of the OVF file.
The computer that serves as the controller ESXi host must meet the following requirements:
• It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology (VT) or AMDVirtualization™ (AMD-V™) technology.
• Virtualization must be enabled in the BIOS settings.
• To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers (such as PRO 1000MTdual port server adapters or PRO 1000GT desktop adapters).
• This host must have network connectivity to all ISRs where you will install your agents.
6
• Users such as administrators and analysts should be able to establish a connection to this host, to access the controller userinterface.
For more information, see the VMware website: http://www.vmware.com/resources/guides.html.
Installing the controller on an ISR is not supported.Note
Controller Installation Prerequisites
Controller Download
Cisco provides the controller as an OVA file: sln-sca-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
You must also download and install the latest version of VMware vSphere Client to install the virtual machine. Cisco recommendsyou also download and install VMware ESXi version 5.5 to run the virtual machine. Download the files at https://my.vmware.com/web/vmware/downloads.
Controller Virtual Appliance Settings
Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on the ESXi host. Do not decreasethe default settings, as they are the minimum required to run the system software. The following table lists the default settings.
Table 3: Default Controller Virtual Appliance Settings
DefaultSetting
24576 MB (24 GB)memory
4virtual CPUs (vCPU)
• vNIC 0 - Main Network
• vNIC 1 (disconnected) - Alt1Network
• vNIC 2 (disconnected) - Alt2Network
virtual NICs
200 GBhard disk provisioned size
7
When you start the VM, the controller determines the amount of physical RAM available, and updates the configuration to allow useof up to half of that RAM.
Cisco recommends you increase VM settings, depending on the size of your Learning Network License deployment. See the followingtable for recommendations.
Table 4: Recommended Controller VM Settings
Recommended VM SettingsLearning Network License Deployment Size
24576 MB (24 GB) of RAM
8 vCPU
400 GB of hard disk provisioned size
1 to 50 agents
65536 MB (64 GB) of RAM
16 vCPU
4 TB of hard disk provisioned size
51 to 1000 agents
The number of vCPUs is determined by multiplying the number of virtual sockets by the number of coresper socket.
Note
See Controller Virtual Hard Disk Storage, on page 19 for more information on increasing the hard disk storage size.
If you increase the memory, number of vCPUs and cores/socket (default is 4), or the hard disk size, see http://www.vmware.com/for more information and best practices.
Information Needed During Installation
When you run the setup script, provide the following information to configure the controller:
Table 5: Controller Installation Settings
DescriptionSetting
transfer management traffic with agent, and provide access tocontroller web UI
eth0 interface IPv4 address, netmask, and gateway
hostname for the controllereth0 interface hostname
DNS context for anomalieseth0 interface DNS servers and DNS search suffixes
synchronize time in Learning Network License systemNTP server IPv4 addresses
The setup script allows you the option of generating self-signed certificates. If you generate a certificate for the controller web UIserver, you can define the following subject distinguished name components:
8
Table 6: Self-Signed Certificate Subject Distinguished Name Options
DescriptionOption
A two-letter ISO 3166-1 country codeCountry Name
Full name of the state or province where your organization is locatedState or Province Name
The city where your organization is locatedLocality Name
Your organization's nameOrganization Name
Your organization's division's nameOrganizational Unit Name
A host and domain name associated with the certificateCommon Name
A contact email addressEmail Address
Learning Network License requires a server certificate to encrypt controller/agent communications, and a server certificate to encryptuser connections to the controller web user interface.
ISR Platform RequirementsSeveral G2 ISRs (Cisco 2921, Cisco 2951, Cisco 3945, and Cisco 3945E), and 4000 Series ISRs (Cisco 4331, Cisco 4351, Cisco4451) support hosting an agent on a UCS E-Series blade server. The UCS E-Series server must run a vSphere ESXi hypervisor. Formore information on the G2 ISRs, see http://www.cisco.com/c/en/us/td/docs/routers/access/1900/roadmap/ISRG2_roadmap.html.For more information on the 4000 Series ISRs, see http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html.
ISR G2 Platform Requirements
Table 7: ISR G2 Platform Requirements
RequiredISR Component
• Cisco 2921,
• Cisco 2951,
• Cisco 3945, or
• Cisco 3945E
Model
2560 MB (2.5 GB) (Cisco 2921) or 1844 MB (1.8 GB) (Cisco2951, 3945, 3945E)
DRAM
IOS Release 15.5(3)M1 or greaterImage
9
RequiredISR Component
Version 17.0 or greaterNBAR2 Protocol Pack
Cisco 2921, 2951:
• SL-29-IPB-K9 - IP Base license, and
• SL-29-DATA-K9 - Data license
Cisco 3945, 3945E:
• SL-39-IPB-K9 - IP Base license, and
• SL-39-DATA-K9 - Data license
See http://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/software-activation-on-integrated-services-routers-isr/white_paper_c11_556985.html#wp9001357 for more information.
Licenses
One of the following models with 8192 MB (8 GB) of RAMand 155 GB free storage space, running vSphere ESXiHypervisor Version 5.0 or greater:
• UCS-E140S-M2/K9,
• UCS-E140D-M1/K9,
• UCS-E140DP-M1/K9,
• UCS-E160D-M1/K9,
• UCS-E160D-M2/K9,
• UCS-E160DP-M1/K9, or
• UCS-E180D-M2/K9
UCS E-Series Blade Server
ISR 4000 Series Platform Requirements
Table 8: ISR 4000 Series Platform Requirements
RequiredISR Component
• Cisco 4331,
• Cisco 4351, or
• Cisco 4451
Model
8192 MB (8 GB)Control Plane DRAM
10
RequiredISR Component
Version 15010638 or greaterComplex Programmable Logic Device
IOS-XE Release 15.4(3)S1 through 15.5(3)SxImage
Version 15.0.0 or greater (IOS-XE 15.4(3)S1 through 15.5(3)S)
Version 17.0.0 or greater (IOS-XE 15.5(3)S, rebuild 2 orgreater
NBAR2 Protocol Pack
Cisco 4331:
• SL-4330-IPB-K9 - IP Base license, and
• SL-4330-APP-K9 - AppX license
Cisco 4351:
• SL-4350-IPB-K9 - IP Base license, and
• SL-4350-APP-K9 - AppX license
Cisco 44XX:
• SL-44-IPB-K9 - IP Base license, and
• SL-44-DATA-K9 or SL-44-APP-K9 - Data license or AppXlicense
See http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435 formore information.
Licenses
One of the following models with 8192 MB (8 GB) of RAM,155 GB free storage space, running vSphere ESXi HypervisorVersion 5.0 or greater:
• UCS-E140S-M2/K9,
• UCS-E140D-M1/K9,
• UCS-E140DP-M1/K9,
• UCS-E160D-M1/K9,
• UCS-E160D-M2/K9,
• UCS-E160DP-M1/K9, or
• UCS-E180D-M2/K9
UCS E-Series Blade Server
Verifying ISR Platform Requirements
11
Before You Begin
• Log into the ISR console.
Procedure
PurposeCommand or Action
Enable privileged EXEC mode.enable
Example:
Step 1
Router> enable
Show version information, including image version,installed ISR licenses, and control plane DRAM.
show version
Example:
Step 2
Router# show version
Show the Complex Programmable Logic Device version.show platform
Example:
Step 3
Router# show platform
Show the NBAR2 protocol pack version.show ip nbar protocol-pack active
Example:
Step 4
Router# show ip nbar protocol-pack active
Exit privileged EXEC mode.exit
Example:
Step 5
Router# exit
Example ISR Platform RequirementsIssuing the show version command to your ISR allows you to view your image version, installed licenses, and the total control planeDRAM on the ISR. These are italicized below. Note that appxk9 corresponds to the AppX license, and ipbasek9 corresponds to theIP Base license.Router> enable
Router# show versionCisco IOS XE Software, Version 2016-05-16_22.05.pajCisco IO Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)s2, RELEASE SOFTWARE (fc2)
...
Technology Package License Information:
––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-Technology Technology-package Technology-package
Current Type Next reboot–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––--appxk9 appxk9 RightToUse appxk9 [AppX license]uck9 None None Nonesecurityk9 None None None
12
ipbase ipbasek9 Permanent ipbasek9 [IP Base license]
cisco ISR4431/K9 (1RU) processor with 7799569K/6147K bytes of memory.
...
Issuing the show platform command to your ISR allows you to view the Complex Programmable Logic Device (CPLD) version,italicized below.Router# show platformChassis type: ISR4431/K9
Slot Type State Insert time (ago)–––––––––- ––––––––––––––––– –––––––––––––––––––––––– –––––––––––––––––--
...
Slot CPLD Version Firmware Version–––––––––- –––––––––––––––––––––– –––––––––––––––––––––––––––––––––––––--0 15010638 15.4(2r)SR0 15010638 15.4(2r)SF0 15010638 15.4(2r)S
Issuing the show ip nbar protocol-pack active command to your ISR allows you to view the NBAR2 protocol pack version,italicized below.Router# show ip nbar protocol-pack active
Active Protocol Pack:
Name: Advanced Protocol PackVersion: 17.0Publisher: Cisco Systems Inc.
...
ISR Configuration Prerequisites
Information Needed for ISR Configuration
When you configure the ISR's NTP servers and flexible NetFlow, provide the following information:
Table 9: ISR Configuration Settings
DescriptionSetting
configure NTP server connectivity. Use a loopback interfaceif you have one configured, or the router management interfaceif you do not.
loopback interface IPv4 address or router management interface
synchronize time in Learning Network License systemNTP server IPv4 addresses
pass NetFlow packets from the ISR to the agentagent eth1 IPv4 address for NetFlow exporter
13
ISR License Installation
To run a agent on an ISR-G2, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) IOS license. To run a agenton an ISR 4000 Series, you must activate an IP base (ipbasek9) IOS license, and an App (appxk9) IOS license. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating the licenses.
Agent and ISR InteractionThe following diagram illustrates the interaction between a agent and its host ISR.
Figure 3: ISR and Agent on a UCS E-Series Blade Server Interaction
The diagram shows an agent deployed to a UCS E-Series blade server on the host ISR. The agent contains three interfaces:
• The eth0 interface, which connects to the UCS-E front panel GE2 port. This is the Management interface, which handlescontroller/agent communication, including mitigations and anomalies.
Configure eth0 with a routable IP address the controller can reach.
14
• The eth1 interface, which connects to the UCS-E internal GE0 port, which connects to the router ucs.../0 interface. This is theControl interface, which handles agent/router communication, including passing NetFlow packets from the router to the agent,and passing mitigations from the agent to the router.
Traffic over the control connection does not leave the router. Configure the eth1 interface and the ucs.../0 interface using privateIP addresses.
• The eth2 interface, which connects to the UCS-E internal GE1 port, which connects to the router ucs.../1 interface. This is theData Transfer interface, which handles raw packet data passed from the router to the agent. These raw packets are used forpacket buffer capture and deep packet inspection.
Traffic over the data connection does not leave the router. Configure the eth2 interface and the ucs.../1 interface using privateIP addresses.
Agent Installation PrerequisitesThe agent runs as a virtual machine deployed to a UCS E-Series blade server. The server must run a VMware ESXi Version 5.5hypervisor. You can also enable VMware tools on all supported ESXi versions. For information on the full functionality of VMwareTools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see the VMware ESXidocumentation. See ISR 4000 Series Platform Requirements, on page 10 for more information.
You must download the UCS E-Series blade server OVA file. You cannot install the virtual service OVAfile on a UCS E-Series blade server.
Note
Agent Configuration Prerequisites
Agent OVA Download
Cisco provides the agent as an OVA file: sln-dla-ucse-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
If you install the agent on a UCS E-Series blade server, you must also download and install the latest version of VMware vSphereClient to install the virtual machine. Download the file at https://my.vmware.com/web/vmware/downloads.
Agent Virtual Appliance Settings
Each agent you deploy to a UCS E-Series blade server requires a certain amount of memory, CPUs, and hard disk space. Do notdecrease the default settings, as they are the minimum required to run the system software. However, to improve performance, youcan increase the memory and number of CPUs, depending on your available resources. The following table lists the default settings.
15
Table 10: Default agent on a UCS E-Series Blade Virtual Appliance Settings
DefaultSetting
5120 MB (5 GB)memory
4virtual CPUs
155 GBhard disk provisioned size
Information Needed for the Setup Script
When you run the agent setup script, you must provide the following information to configure the agent:
Table 11: Agent on a UCS E-Series Blade Server Setup Script Settings
DescriptionSetting
transfer management traffic with controllereth0 interface routable IPv4 address, netmask, and gateway
export files from the agent to other hostsoptional eth0 interface DNS servers and DNS search suffixes
hostname for the agenteth0 interface hostname
pass NetFlow packets to the agent, and pass mitigations andinterface configuration to the agent
eth1 interface private IPv4 address and netmask
pass raw packets from ISR to agent for deep packet inspection(DPI) and packet buffer capture (PBC)
eth2 interface private IPv4 address and netmask
synchronize time in Learning Network License systemNTP server IPv4 addresses
Learning Network License requires a server certificate to encrypt controller/agent communications. The agent generates oneautomatically, but you can also upload one your organization generates.
NTP Configuration
You must provide NTP server addresses synchronized with those configured on the controller and router to ensure synchronizedtime.
Downloading the OVA Files from Cisco
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure itmatches theMD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownloadthe file. If the checksums still do not match, contact Cisco Support.
Note
16
Procedure
Step 1 In your web browser, navigate to http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html. Enter your username and password when prompted.
Step 2 Download the controller OVA file: sln-sca-k9-<ver>.ovaStep 3 Download an agent OVA file:
• sln-dla-ucse-k9-<ver>.ova - contains the agent to be deployed on an ISR's UCS E-Series blade server
Obtaining a File's Checksum from cisco.com
Before You Begin
• Go to the file download page on cisco.com.
Procedure
Step 1 Click the File Information file name to view the file's details, which includes the MD5 and SHA512 checksums.Step 2 Click the ellipsis (…) to view the full SHA512 checksum.
Controller DeploymentCisco provides the controller as a downloadable OVA file. You can deploy this OVA file to a host running an ESXi hypervisor.
Before you start the controller VM, you can update the memory, number of vCPUs, and hard disk space in vSphere vCenter. If youincrease the memory, you must start the VM, then run the setup-system script. After you run the script, the VM is updated withproper memory settings.
If your controller is already running, and you want to update the memory settings, run the setup-system script, stop the VM, updatethe memory settings, and start the VM. On restart, the VM is updated with proper memory settings.
See Controller Installation Prerequisites, on page 7 for more information on recommended controller VM settings, based ondeployment size.
For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.
Note
The first time you log into the virtual machine, the system prompts you to change the default administrator password.
17
Deploying the OVA FileAs youmap destination networks to interfaces, note that only eth0 is enabled by default. For many deployments, controller managementtraffic, agent traffic, and controller web UI user traffic are reachable from the same controller network interface. In this case, you canmap that destination network to the eth0 interface. You can also leave the eth1 and eth2 interfaces disabled, and mapped to a separatedestination network.
However, if these traffic types are reachable via different controller network interfaces, you can enable eth1, eth2, or both eth1 andeth2, then map them to the appropriate destination networks.
Before You Begin
• Download the OVA file.
• Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and install it.
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to install the OVA file.Step 2 Select File > Deploy OVF Template.Step 3 Click Browse to select your OVA file, then click Next.Step 4 Review the OVF Template Details, then click Next.Step 5 Enter a Name, select an inventory location, then click Next.Step 6 Click the Thick Provision Lazy Zeroed radio button, then click Next.Step 7 Select a Destination Network from your inventory to map to a Source Network. You can map the following default
networks, then click Next.
• eth0 to Main Network
• eth1 (disconnected) to Alt1 Network
• eth2 (disconnected) to Alt2 NetworkIf you only need to configure eth0, you canmap eth1 and eth2 to the same network.Note
Step 8 Review your deployment settings and click Finish.The deployment may take 30minutes to an hour or longer, depending on your environment.Note
Step 9 Click Close after the deployment completes.
What to Do Next
• Power on the virtual machine and login, as described in the next section.
18
Powering On the Virtual Machine
Before You Begin
• Deploy the OVA file to the ESXi hypervisor, as described in the previous section.
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine.Step 2 Select Home > Inventory > VMs and Templates.Step 3 Select the virtual machine from the navigation tree.Step 4 Select Inventory > Virtual Machine > Power > Power On.Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
To shift your focus from the virtual machine console to your local host, pressCtrl-Alt.Note
Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted,change the default administrator password.
Controller Virtual Hard Disk StorageBy default, the controller OVA ships configured with a 200 GB hard disk. Based on your deployment and the recommended settings,you can configure the deployed controller VM to expand the available hard disk storage space by either:
• increasing the existing virtual hard disk storage allocation with an expanded partition or another partition, when the existingVMware storage area has sufficient space, or
• adding a new virtual hard disk, when the existing VMware storage area has insufficient space.
Follow the procedures carefully. Failure to follow them can result in corruption or loss of the controllerVM filesystem.
Note
Controller Virtual Hard Disk Allocation Expansion
To add space to the controller VM hard disk, configure the VM's settings in VMware vSphere to increase the size of the hard disk.Then, from the VM's command line, run parted to extend an existing virtual hard disk partition. Finally, issue commands to expandthe filesystem size for the new hard disk.
You can only extend a hard disk partition to 2 TB. If you need more space, you can use cfdisk to insteadadd another virtual hard disk partition.
Note
19
By default, the controller ships with one virtual hard disk, sda and up to partition number 5 (sda5). The first time you add a partitionto this virtual hard disk, increment the name by one (sda6). If you want to add another partition, increment the name of the mostrecent hard disk partition by 1 (sda7, sda8, and so on).
Editing VM Settings to Increase Virtual Hard Disk Size
Before You Begin
• Connect to the ESXi hypervisor using VMware vSphere.
Procedure
Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, select Hard disk 1.Step 4 Enter a new Provisioned Size to update the virtual hard disk provision.Step 5 Click OK.Step 6 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 7 Right-click the controller VM and select Power > Power On.
Adding a New Virtual Hard Disk Partition Larger than 2 TBUse cfdisk to create a new virtual hard disk partition larger than 2 TB. The controller OVA contains one virtual hard disk by default,sda. This virtual hard disk contains partitions up to number five (sda5). The following task assumes you have not created anothervirtual hard disk partition, directing you to increment the highest virtual hard disk partition name by one to create the sda6 partition.If you have created other virtual hard disk partitions for the sda virtual hard disk, increment the new partition name based on theexisting virtual hard disk partitions (sda7, sda8, etc.).
Before You Begin
• Use VMware vSphere to log into the controller VM console.
Procedure
PurposeCommand or Action
Run the cfdisk partition editor to create the sda6partition.
sudo cfdisk /dev/sda, then enter your password whenprompted
Example:
Step 1
user@host:~$ sudo cfdisk /dev/sda
Verify that the partition size is correct. If it is not,restart the controller VM and restart this procedurefrom the beginning.
Move your cursor to the last line containing Free space,and verify the size column roughly matches the amountof space you added.
Step 2
Create a new partition.n to create a new partitionStep 3
Create a logical partition.Select Logical and press Enter.Step 4
20
PurposeCommand or Action
Create the partition with the free space displayed.Press Enter to accept the default size.Step 5
Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 6
Write the new partition table.W to write the new partition table, then yes to confirmStep 7
Quit cfdisk.q to quit cfdiskStep 8
Updating the Filesystem for the New Virtual Hard Disk PartitionThe controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The following procedures uses the LVM2tools to register the new partition as a physical volume, add the new physical volume to the existing volume group, and extend thelogical volume over the new physical volume while simultaneously resizing the Linux filesystem to recognize the additional space.
Before You Begin
• Use VMware vSphere to log into the controller VM console.
Procedure
PurposeCommand or Action
Update the /dev filesystem to include /dev/sda6 as anew virtual hard disk partition.
sudo partprobe -s
Example:user@host:~$ sudo partprobe -s
Step 1
Create a physical volume for a new partition on the sdavirtual hard disk.
sudo pvcreate /dev/sda6
Example:user@host:~$ sudo pvcreate /dev/sda6
Step 2
View the name of the volume group.sudo vgdisplay
Example:user@host:~$ sudo vgdisplay
Step 3
Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sda6
Example:user@host:~$ sudo vgextend vg00
/dev/sda6
Step 4
Add the new volume to the root logical volume andresize the root filesystem.
sudo lvextend -r /dev/<volume-group>/root
/dev/sda6
Example:user@host:~$ sudo lvextend -r
/dev/vg00/root /dev/sda6
Step 5
21
Controller Virtual Hard Disk Addition
To add a virtual hard disk on the controller VM, configure the VM's settings in VMware vSphere to recognize a new hard disk. Then,from the VM's command line, run cfdisk to create the new virtual hard disk, and issue commands to expand the filesystem size forthe new hard disk.
By default, the controller ships with one virtual hard disk, sda. The first time you add a virtual hard disk, increment the name by one(sdb). If you want to add another virtual hard disk, increment the name of the most recent hard disk by 1 (sdc, sdd, and so on).
Editing VM Settings for a New Hard Disk
Before You Begin
• Connect to the ESXi hypervisor using VMware vSphere.
Procedure
Step 1 Select Home > Inventory > VMs and Templates.Step 2 Right-click the controller VM and select Edit Settings.Step 3 In the Hardware tab, click Add.Step 4 Select Hard Disk and click Next.Step 5 Select Create a new virtual disk and click Next.Step 6 Enter a Disk Size and click Next.Step 7 Click Next to skip the Advanced Options screen.Step 8 Click Finish.Step 9 Click OK in the Virtual Machine Properties window.Step 10 Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.Step 11 Right-click the controller VM and select Power > Power On.
Adding a New Hard DiskUse cfdisk to create a disk partition on the new virtual hard disk. The controller OVA contains one virtual hard disk by default, sda.The following task assumes you have not created another virtual hard disk, directing you to increment the existing virtual hard diskname by one to create the sdb virtual hard disk. If you have created other virtual hard disks for the controller, increment the newvirtual hard disk name based on the existing virtual hard disks (sdc, sdd, etc.).
Before You Begin
• Use VMware vSphere to log into the controller VM console.
22
Procedure
PurposeCommand or Action
Run the cfdisk partition editor to create the sdb1 partitionon the sdb virtual hard disk. The table contains one line,with the free space equal to the total disk size.
sudo cfdisk /dev/sdb, then enter your passwordwhen prompted
Example:
Step 1
user@host:~$ sudo cfdisk /dev/sdb1
Create a new partition.n to create a new partitionStep 2
Create a virtual hard disk.Select Primary and press Enter.Step 3
Create the virtual hard disk with the free space displayed.Press Enter to accept the default size.Step 4
Change the filesystem type to 8E (Linux LVM).t to change the filesystem type to 8EStep 5
Write the new partition table.W to write the new partition table, then yes to confirmStep 6
Quit cfdisk.q to quit cfdiskStep 7
Updating the Filesystem for the New Hard Disk
Before You Begin
• Use VMware vSphere to log into the controller VM console.
Procedure
PurposeCommand or Action
Update the filesystem to include /dev/sdb as a newvirtual hard disk.
sudo partprobe -s
Example:user@host:~$ sudo partprobe -s
Step 1
Create a physical volume for a new partition on thesdb hard disk.
sudo pvcreate /dev/sdb1
Example:user@host:~$ sudo pvcreate /dev/sdb1
Step 2
View the name of the volume group.sudo vgdisplay
Example:user@host:~$ sudo vgdisplay
Step 3
Add the new volume to the volume group.sudo vgextend <volume-group> /dev/sdb1
Example:user@host:~$ sudo vgextend vg00
/dev/sdb1
Step 4
23
PurposeCommand or Action
Restart the controller VM.sudo reboot
Example:user@host:~$ sudo reboot
Step 5
Log into the controller VM console.Log into the controller VM console.Step 6
Add the new volume to the root logical volume andresize the root filesystem.
sudo lvextend -r /dev/<volume-group>/root /dev/sdb1
Example:user@host:~$ sudo lvextend -r
/dev/vg00/root /dev/sdb1
Step 7
Restart the controller VM.sudo reboot
Example:user@host:~$ sudo reboot
Step 8
Custom Controller Web UI CertificatesThe controller web server uses Transport Layer Security (TLS) to encrypt connections to the controller web UI. This requires theserver to present a certificate to the client browser. Using the self-signed certificate installed by default does not allow the browserto validate the authenticity of the controller web UI, and leads to browser warnings about an untrusted web server. Instead of usinga self-signed certificate, you can upload to the controller a custom public key server certificate and private key generated by yourorganization. This allows clients that connect to the controller web UI to properly validate the web server's authenticity. Note thefollowing:
• You must upload both a server certificate and associated private key. Both must be in PEM format.
• You can also upload a trust chain of issuing CA certificates for the server certificate, concatenated with the server certificate ina single PEM file.
• You can upload an encrypted private key file. You must also create an additional file (sln_ssl.pass) with the cleartext passwordrequired to unencrypt the private key file.
After you make these changes, restart the controller web UI processes.
When you run the setup-system script, do not generate a new controller web UI certificate, as this willoverwrite your custom certificate and private key. See Configuring the Controller with the Setup Script,on page 26 for more information.
Note
Uploading a Private Key Password
If your private key file is encrypted, you must create an sln_ssl.pass password file containing the cleartext password. After youcreate the file, you update the sln_ssl_certs.conf configuration file to point to the password file. See Uploading Custom ControllerWeb UI Certificates, on page 25 for more information.
24
Before You Begin
• Log into the controller VM console.
Procedure
PurposeCommand or Action
Change to the /etc/ssl/private/ directory.cd /etc/ssl/private/
Example:
Step 1
user@host:~$ cd /etc/ssl/private/
Create the sln_ssl.pass password file, containingthe private key cleartext password.
cat > sln_ssl.pass, then enter your password as cleartext,then press Ctrl + D.
Example:user@host:~/etc/ssl/private$ cat > sln_ssl.passprivate-key-password
Step 2
Verify that the sln_ssl.pass password file containsthe correct cleartext password.
cat sln_ssl.pass to verify the password
Example:user@host:~/etc/ssl/private$ cat sln_ssl.pass
Step 3
What to Do Next
• Continue updating the configuration for your custom certificate and private key, as described in the next section.
Uploading Custom Controller Web UI Certificates
Before You Begin
• Log into the controller VM console.
• Upload your custom controller web UI server certificate, and chain of issuing CA certificates if applicable, in PEM format tothe controller at etc/ssl/certs.
• Upload your custom controller web UI server certificate private key in PEM format to the controller at /etc/ssl/private.
Procedure
PurposeCommand or Action
Change to the /opt/cisco/sln/viz/conf/directory.
cd /opt/cisco/sln/viz/conf/
Example:
Step 1
user@host:~$ cd /opt/cisco/sln/viz/conf/
25
PurposeCommand or Action
Open ssln_ssl_certs.conf in the vi texteditor as a superuser.
sudo vi sln_ssl_certs.conf, then enter your password whenprompted
Example:
Step 2
user@host:~/opt/cisco/sln/viz/conf$ sudo vi
sln_ssl_certs.conf
Update sln_ssl_certs.conf to point to yourcustom server certificate.
Modify the ssl_certificate filepath to point to the custom servercertificate PEM file.
Example:ssl_certificate
/etc/ssl/certs/server-certificate.pem
Step 3
Update sln_ssl_certs.conf to point to yourcustom server certificate private key.
Modify the ssl_certificate_key filepath to point to the customserver certificat private key PEM file.
Example:ssl_certificate_key
/etc/ssl/certs/server-certificate-key.pem
Step 4
Update sln_ssl_certs.conf to point to yourprivate key password file.
If you uploaded an sln_ssl.pass password file, addssl_password_file and a corresponding filepath after thessl_certificate_key filepath.
Step 5
Example:ssl_certificate_key
/etc/ssl/certs/server-certificate-key.pemssl_password_file
/etc/ssl/private/sln_ssl.pass
Save your changes, then exit the vi text editor.Press Esc, then enter :wq!.
Example:
Step 6
:wq!
Restart the controller web UI service.sudo service ciscosln-viz restart
Example:
Step 7
user@host:~/opt/cisco/sln/viz/conf$ sudo service
ciscosln-viz restart
Configuring the Controller with the Setup ScriptIf you need multiple interfaces on multiple subnets, when configuring networking, you can also configure eth1 and eth2.
Before You Begin
• Log into the controller VM console.
26
Procedure
PurposeCommand or Action
Change directories.cd ~/
Example:
Step 1
user@host:~$ cd ~/
Run the setup script.sudo ./setup-system at the command prompt torun the setup script. Enter the administratorpassword if prompted.
Step 2
Example:user@host:~$ sudo ./setup-system
Configure networking.y (configure networking)Step 3
Configure the eth0 interface.1 (configure eth0)Step 4
Configure the controller VM hostname. You must enter afull qualified domain name.
hostname, then hostname, then y to confirmStep 5
Configure the interface's IPv4 address, along with a netmaskand gateway.
ipv4, then ipv4-address, then ipv4-netmask, thenipv4-gateway, then y to confirm
Step 6
Modify the virtual machine's list of DNS servers.dns, then dns-servers, then y to confirmStep 7
If you want to configure the domain suffix search list, runthe search command.
search, then domain-suffixes, then y to confirmStep 8
View the interface's network settings, hostname, and DNSsettings. If any of these are missing or incorrect, repeat thatconfiguration.
viewStep 9
Save your changes and continue with interface configuration.exitStep 10
Exit interface configuration and continue.4 (exit interface configuration)Step 11
Enable SSH login.y (enable SSH login)Step 12
Configure NTP servers used to synchronize time betweenthe controller and agent. Enter a space-delimited list of NTP
y, then ntp-servers, then y to confirmStep 13
server fully-qualified domain names (FQDNs) or IPv4addresses.
Generate a controller self-signed certificate, used forencrypting controller/agent communication.
y (generate a controller certificate)Step 14
Generate a controller web UI self-signed certificate, used forencrypting user connections to the controller web userinterface.
y (generate a controller web UI certificate), or n ifyou uploaded a custom certificate
Step 15
Optionally, specify the certificate subject distinguished name(DN).
y (specify the distinguished name if you generateda new certificate)
Step 16
Optionally, provide the DN information.country-code, then state, then locality, thenorganization, then organizational-unit, then
Step 17
27
PurposeCommand or Action
common-name, then email if you generated a newcertificate
Resetting the Administrator PasswordAfter you run the setup-system script, reset the controller web UI administrator user account (admin) password. When you reset thepassword, the system prints a temporary password to the console, valid for 72 hours. You must log into the controller web UI as theadmin user account, then update your password.
Procedure
PurposeCommand or Action
Change directories to ~/SCA.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Stop the controller processes.sudo service ciscosln-sca stop, then enter your password whenprompted
Step 2
Example:user@host:~/SCA$ sudo service ciscosln-sca stop
Reset the admin user account's password../sca.sh reset-admin-password
Example:user@host:~/SCA$ ./sca.sh reset-admin-passworduser@host:~/SCA$ Resetting the admin password in sln
Step 3
user@host:~/SCA$ New password is 'AbCd1234'user@host:~/SCA$ Admin password reset done.
Start the controller processes.sudo service ciscosln-sca start
Example:
Step 4
user@host:~/SCA$ sudo service ciscosln-sca start
Disabling Host Time SynchronizationAfter you reset the administrator password, configure the VM to disable host time synchronization. This ensures the VM synchronizestime with the configured NTP servers, instead of the ESXi host.
Before You Begin
• Log into the controller VM console.
28
Procedure
PurposeCommand or Action
Modifies the .vmx virtual machine configuration file todisable time synchronization with the ESXi host.
vmware-toolbox-cmd timesync disable
Example:user@host:~$ vmware-toolbox-cmd timesync disable
Step 1
Logging into the Controller Web UIWhen you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account(admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must changethe password and confirm the new password.
Procedure
In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and passwordwhen prompted.
Verifying NTP Configuration on the Controller
Before You Begin
• Log into the controller VM console.
Procedure
PurposeCommand or Action
Display configured NTP servers. If the system does not display configuredNTP servers, repeat NTP configuration in Configuring the Controller withthe Setup Script, on page 26.
ntpq –n –p
Example:
Step 1
user@host:~$ ntpq –n –p
What to Do Next
• Configure NTP and NetFlow, as described in the next section.
NTP ConfigurationTo configure NTP server addresses on the ISR, associate the router management interface with the NTP servers. Alternatively, if youhave a loopback interface already configured, you can use that instead to reference NTP servers.
29
Configuring NTP on the ISRYou can enter each command individually. You can also paste the commands from the example below into a text editor, update thevariable, then paste all the updated commands into the command line.enablentp source GigabitEthernet0/0/0ntp server <ipv4-addresses>exitIf you have an existing loopback interface, use that as the NTP source interface. Otherwise, use the router management interface.
Procedure
PurposeCommand or Action
Enable privileged EXEC mode. Enter your password ifprompted.
enable
Example:
Step 1
Router> enable
Use the GigabitEthernet0/0/0 interface to connect to an NTPserver.
ntp source GigabitEthernet0/0/0
Example:
Step 2
Router# ntp source GigabitEthernet0/0/0
Use the GigabitEthernet0/0/0 interface to connect to an NTPserver. Definemultiple addresses to specify backupNTP servers.
ntp server ipv4-addresses
Example:
Step 3
Router# ntp server 209.165.202.129
209.165.202.130
Display configured NTP servers. If the system does not displaycorrectly configured NTP servers, repeat the configurationprocess.
show ntp association
Example:
Step 4
Router# show ntp association
Exit privileged EXEC mode.exit
Example:
Step 5
Router# exit
NetFlow ConfigurationTo capture information about traffic traversing your network, you must configure the following Flexible NetFlow components inorder:
• SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fields to collect
• SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent Control IP address to send NetFlow data to the agent
30
• SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and output traffic coming overconfigured branch interfaces, and forwards it to SLN-NF-EXPORTER
The following diagram illustrates NetFlow operation on the ISR.
Figure 4: NetFlow Operation on the ISR
As input and output traffic passes over the branch facing interfaces, the SLN-NF-MONITOR flowmonitor, referencing the SLN-NF-RECORDflow record, monitors the traffic for the key fields. It collects the non-key fields defined in the flow record. The flow monitor sendsthe flow record to the SLN-NF-EXPORTER flow exporter, which then sends it to the configured ISR ucs.../0 Control IP address.
31
Configuring NetFlow
Procedure
PurposeCommand or Action
Enter global configuration mode, create theSLN-NF-RECORD flow record, and enter flow record
Copy all the commands, paste them into a text editor, and updatecollect timestamp [absolute | sys-uptime] first and collect
Step 1
configuration mode. Configure the flow record totimestamp [absolute | sys-uptime] last. For supported 4000match key fields and collect nonkey fields. Exit flowSeries ISRs, use sys-uptime. For other ISRs, use absolute. Afterrecord configuration mode and return to globalconfiguration mode.
you update the commands, paste them into the command line andpress Enter to configure the NetFlow record.
Example:configure terminalflow record SLN-NF-RECORD
match ipv4 protocolmatch ipv4 source addressmatch ipv4 destination addressmatch transport source-portmatch transport destination-portcollect datalink mac source address inputcollect datalink mac destination address outputcollect transport tcp flagscollect interface inputcollect interface outputcollect flow directioncollect counter bytescollect counter packetscollect timestamp [absolute | sys-uptime] firstcollect timestamp [absolute | sys-uptime] lastcollect application namecollect routing forwarding-statusexit
Update the flow exporter commands with the IPaddress associated with the agent deployed to the UCSE-blade server.
Copy the following commands into a text editor. Replace<dla-ip-address> with the IP address associated with the agentdeployed to the UCS E-Series blade server. You configure this onthe agent in a later step.
Step 2
Example:configure terminalflow exporter SLN-NF-EXPORTER
destination <dla-ip-address>transport udp 6666template data timeout 300exit
Enter global configuration mode, create theSLN-NF-EXPORTER flow exporter, and enter flow
Copy the updated commands from the text editor into the commandline and press Enter to configure the NetFlow exporter.
Step 3
exporter configuration mode. Configure the flowexporter to send flow records to the destination IPaddress. Exit flow exporter configuration mode andreturn to global configuration mode.
Create the SLN-NF-MONITOR flow monitor, andenter flowmonitor configuration mode. Configure the
Copy the following commands into the command line, and pressEnter to configure the NetFlow flow monitor.
Step 4
flowmonitor to reference the SLN-NF-RECORD flow
32
PurposeCommand or Action
Example:flow monitor SLN-NF-MONITOR
cache timeout active 60
record, and configure cache settings. Exit flowmonitorconfiguration mode and return to privileged EXECmode.
cache entries 512000record SLN-NF-RECORDend
Update the interface commands with every interfacename.
Copy the following commands into a text editor. Replace <name>with the name of an ISR interface that faces the branch's users.Repeat this for all ISR interfaces that face the branch's users.
Step 5
Example:configure terminalinterface <name>
ip flow monitor SLN-NF-MONITOR inputip flow monitor SLN-NF-MONITOR output
end
Specify an ISR interface and enter interfaceconfiguration mode. Assign the SLN-NF-MONITOR
Copy the updated commands from the text editor into the commandline and press Enter to assign the NetFlow flow monitor to thespecified interface.
Step 6
flow monitor to the interface and monitor incomingand outgoing traffic on the interface. Exit interfaceconfiguration mode and return to privileged EXECmode. Repeat for each ISR interface.
Agent Deployment to a UCS E-Series Blade ServerCisco provides the agent as a downloadable OVA file. You can deploy this OVA file to a UCS E-Series blade server running an ESXihypervisor on a Cisco 2921, Cisco 3945, Cisco 3945E, Cisco 4331, Cisco 4351, or Cisco 4451 ISR.
For a given version of the Learning Network License system, only the version of Ubuntu Linux shippedwith the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agentVMs.
Note
Configure virtual switches on the blade server, then deploy the agent virtual machine. After you power on the virtual machine, whenyou first log in, the system prompts you to change the default administrator password.
Configuring Virtual SwitchesWhen you deploy the ESXi hypervisor on the UCS E-Series blade server, the system automatically creates a virtual switch using thevmnic2 physical adaptor. This is associated with the GE2 external interface.
Configure two additional virtual switches, using the vmnic0 and vmnic1 physical adaptors. The vmnic0 virtual switch connects to theUCS-E GE0 internal interface, and this connects to the ISR UCS...1/0 interface. The vmnic1 virtual switch connects to the UCS-EGE1 internal interface, and this connects to the ISR UCS...1/1 interface.
33
Before You Begin
• Open VMware vSphere Client and connect to the ESXi hypervisor.
Procedure
Step 1 Select View > Inventory > Hosts and Clusters
Step 2 Select the blade server from the navigation tree.Step 3 Select the Configuration tab.Step 4 In the Hardware pane, click Networking.Step 5 In the View: vSphere Standard Switch pane, click Add Networking.Step 6 In the Connection Types pane, select Virtual Machine and click Next.Step 7 Select Create a vSphere standard switch, vmnic0, and click Next.Step 8 Enter a Network Label and, optionally, a VLAN ID and click Next.Step 9 Click Finish.Step 10 Repeat the procedure for vmnic1.
UCS E-Series Blade Server DeploymentEnsure you have completed the following before deploying the agent:
• install the UCS E-Series blade server in the host ISR
• configure the server's GE2 interface with a routable IP address
• connect an ethernet cable to the server's GE2 interface front panel port, and connect the other end of the cable into a L2 top-of-rackswitch or router connected to your network
• configure a management network for ESXi using the vmnic2 network adapter
• start the UCS-E server and make sure it boots into the ESXi boot menu. If the server does not boot into the ESXi boot menu,see http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/1-0/gs/guide/b_Getting_Started_Guide/b_Getting_Started_Guide_chapter_0111.html#concept_4F2D448A505A4EBBA1A626CDC3D4118C for information on configuring the bootorder through CIMC. Configure the hard disk drive (HDD) as first in the boot order, save your changes, then reboot the server.
For more information on configuring ESXi, see https://www.vmware.com/files/pdf/ESXi_management.pdf.
For more information on configuring the UCS E-Series server, see the Getting Start Guide for Cisco UCS E-Series Servers and theCisco UCS E-Series Network Compute Engine, at https://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/3-0/gs/guide/b_3_x_Getting_Started_Guide.html. For more information on UCS E-Series servers, see the Documentation Guide for Cisco UCSE-Series Servers and the Cisco UCS E-Series Network Compute Engine, at http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/e/1-0/roadmap/e_series_road_map.html
34
Deploying the OVA File
Before You Begin
• Download the OVA file. See Downloading the OVA Files from Cisco, on page 16 for more information.
• Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and install it.
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you want to install the OVA file.Step 2 Select File > Deploy OVF Template.Step 3 Click Browse to select your OVA file, then click Next.Step 4 Review the OVF Template Details, then click Next.Step 5 Enter a Name, select an inventory location, then click Next.Step 6 Click the Thick Provision Lazy Zeroed radio button, then click Next.Step 7 Select a Destination Network from your inventory to map to a Source Network. You can map the following default
networks, then click Next.
• Mgmt Network (vmnic2) to GE2
• NE Control Net (vmnic0) to Ucs.../0
• NE Data Net (vmnic1) to Ucs.../1
Step 8 Review your deployment settings and click Finish.The deployment may take 30minutes to an hour or longer, depending on your environment.Note
Step 9 Click Close after the deployment completes.
What to Do Next
• Ensure the VM's network adapters are powered on, and power on at startup.
• Power on the virtual machine and perform first login, as described in the next section.
Powering on the Virtual Machine
Before You Begin
• Deploy the OVA file to the ESXi hypervisor, as described in the previous section.
35
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine.Step 2 Select Home > Inventory > VMs and Templates.Step 3 Select the virtual machine from the navigation tree.Step 4 Select Inventory > Virtual Machine > Power > Power On.Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
To shift your focus from the virtual machine console to your local host, pressCtrl-Alt.Note
Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted,change the default administrator password.
Powering On the Virtual Machine
Before You Begin
• Deploy the OVA file to the ESXi hypervisor, as described in the previous section.
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine.Step 2 Select Home > Inventory > VMs and Templates.Step 3 Select the virtual machine from the navigation tree.Step 4 Select Inventory > Virtual Machine > Power > Power On.Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
To shift your focus from the virtual machine console to your local host, pressCtrl-Alt.Note
Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted,change the default administrator password.
Agent Configuration OverviewAgent configuration through the setup script is similar to the controller setup script. It allows you to define basic network settingsand generate a certificate for controller/agent communications.
Configuring an Agent with the Setup ScriptRun the setup script to configure hostname, interfaces, and generate a public key certificate for the agent. The eth0 interface handlesmanagement traffic passed between the agent and controller, and requires a routable IP address. The agent passes anomalies to thecontroller for further analysis. The eth1 interface handles Netflow and other traffic passed between the ISR and agent, and requires
36
a private IP address. The agent examines this traffic for anomalies. The eth2 interface is for packet buffer capture, passing raw packetdata from ISR to agent, and requires a private IP address. The agent passes PCAP archive files to the controller through the managementinterface when the user requests them from the controller.
Before You Begin
• Log into the agent's console.
Procedure
PurposeCommand or Action
Connect to the ESXi hypervisor where you deployedthe virtual machine.
Step 1
Select Home > Inventory > VMs and Templates.Step 2
Select the virtual machine from the navigation tree.Step 3
To shift your focus from the virtual machineconsole to your local host, press Ctrl-Alt.
NoteClick the Console tab, then click in the console paneto shift your focus to the virtual machine console.
Step 4
Log in with the administrator username (sln) andpassword (cisco). Update the administrator passwordwhen prompted.
Step 5
Change directories.cd ~/
Example:
Step 6
user@host:~$ cd ~/
Run the setup script.sudo ./setup-system at the command prompt to runthe setup script. Enter the administrator password ifprompted.
Step 7
Example:user@host:~$ sudo ./setup-system
Configure network interfaces.yStep 8
Configure the eth0 interface.1) eth0
Example:
Step 9
Enter a number: 1
Configure the interface's routable IPv4 address, along witha netmask and gateway.
ipv4, then routable-ipv4-address, thenipv4-netmask, then ipv4-gateway, then y to confirm
Step 10
Configure the agent VM hostname.hostname, then hostname, then y to confirmStep 11
If you want to add the virtual machine's list of DNS servers,run the dns command.
dns, then dns-servers, then y to confirmStep 12
If you want to configure the domain suffix search list, runthe search command.
search, then domain-suffixes, then y to confirmStep 13
37
PurposeCommand or Action
View the interface's network settings, hostname, and DNSsettings. If any of these are missing or incorrect, repeat thatconfiguration.
viewStep 14
Save your changes and continue with the setup script.exitStep 15
Configure the eth1 interface. This interface is connectedto the first UCS E-Series blade server interface.
2) eth1
Example:
Step 16
Enter a number: 2
Configure the interface's private IPv4 address, along witha netmask and gateway. Because traffic over this interface
ipv4, then private-ipv4-address, thenipv4-netmask, then optionally ipv4-gateway, theny to confirm
Step 17
does not leave the router, you do not have to configure agateway.
Save your changes and continue with the setup script.exitStep 18
If you want to use packet buffer capture, configure theeth2 interface. This interface is connected to the secondUCS E-Series blade server interface.
3) eth2
Example:
Step 19
Enter a number: 3
Configure the interface's private IPv4 address, along witha netmask and gateway. Because traffic over this interface
ipv4, then private-ipv4-address, thenipv4-netmask, then optionally ipv4-gateway, theny to confirm
Step 20
does not leave the router, you do not have to configure agateway.
Save your changes and continue with the setup script.exitStep 21
Exit interface configuration.4) Exit
Example:
Step 22
Enter a number: 4
Enable SSH login.y , if you want to enable SSH login
Example:
Step 23
Do you want to enable SSH service now? (y or
n)[n] y
Configure a space-delimited list of NTP server addresses.y, then ntp-servers
Example:
Step 24
Do you want to configure NTP servers now? (y
or n)[n] y
Generate an agent self-signed certificate, used forencrypting controller/agent communication.
y (generate self-signed certificate)Step 25
Optionally, specify the certificate subject distinguishedname (DN).
y (specify the distinguished name)Step 26
38
PurposeCommand or Action
Specify the subject distinguished name (DN) on thecertificate.
country-code, then state, then locality, thenorganization, then organizational-unit, thencommon-name, then email
Step 27
What to Do Next
• Verify the NTP configuration settings, as described in the next section.
Disabling the Host Time SynchronizationAfter you run setup-system, configure the VM to disable host time synchronization. This ensures the VM synchronizes time withthe configured NTP servers, instead of the ESXi host.
Before You Begin
• Log into the agent VM console.
Procedure
PurposeCommand or Action
Modifies the .vmx virtual machine configuration file todisable time synchronization with the ESXi host.
vmware-toolbox-cmd timesync disable
Example:user@host:~$ vmware-toolbox-cmd timesync disable
Step 1
Verifying NTP Configuration on the Agent
Before You Begin
• Log into the agent VM console.
Procedure
PurposeCommand or Action
Display configured NTP servers. If the system does not display configuredNTP servers, repeat NTP configuration in Configuring an Agent with theSetup Script, on page 36.
ntpq –n –p
Example:
Step 1
user@host:~$ ntpq –n –p
39
Controller and Agent Communications OverviewEnsure that the controller can ping the agents and communicate. If you cannot ping the agents, check your network settings.
When you ran the agent and controller setup scripts, you also generated public key certificates. The Learning Network License systemimplements certificate pinning to identify public key certificates. If you enable TOFU, the agent trusts the first certificate it sees thefirst time it connects to the controller. It generates a certificate fingerprint, and on subsequent connections, compares the storedfingerprint to the passed certificate to verify the identity of the controller. If you do not enable TOFU, you can also generate a certificatefingerprint and upload that to the agent.
On the controller, you can also enable TOFU. On first connection, the controller adds the agent public key certificate to a trustedstore. For future connections, when the agent connects to the controller, the controller compares the certificate to those stored in thetrusted store. If the certificate matches a certificate in the store, the controller establishes the connection.
To configure the certificates, run the agent administrator script to:
• configure the agent to trust the controller certificate
• store an ISR login on the agent for communication between the ISR and agent
Then, restart the agent's processes.
After that, enable TOFU on the controller, and then restart the controller processes to ensure the controller recognizes and trusts thesecertificates.
Pinging Agents from the ControllerIf you cannot ping the agents, check your network settings.
Before You Begin
• Log into the controller VM console.
Procedure
PurposeCommand or Action
Ping the agent IP address with 5 packets.ping dla-mgmt-ip-address -c 5
Example:
Step 1
user@host:~$ ping 209.165.201.3 -c 5
Repeat the previous step for all remaining agents.Step 2
What to Do Next
• Manage agent certificate trust settings, as described in the next section.
40
Agent Administrator SettingsThe agent administrator script contains options to administrate and troubleshoot your agent, including public key certificatemanagement,and log and debug file management options.
During initial agent installation, you must manage the certificate and trust model. The system uses certificate pinning and verifies apublic key certificate against a previously generated certificate fingerprint. You can either enable TOFU, which Cisco recommends,or upload the controller certificate fingerprint.
No certificate fingerprint exists the first time the controller and agent establish a connection. If you enable TOFU, the first time thecontroller and agent establish a secure connection, the agent trusts the controller certificate, and generates a certificate fingerprint.On subsequent connections, the agent can verify the controller certificate against the pinned fingerprint.
If you enable TOFU on your agent, either manage the agent with the controller soon after, or stop theagent processes until you are ready to continue.
Note
You can also upload the controller certificate fingerprint to the agent before you establish a connection between the two. The agent,on first connection, uses the fingerprint to authorize the certificate.
After you enable TOFU or upload the controller certificate fingerprint, store an ISR login and password on the agent to enablecommunications between the ISR and agent. Finally, restart the agent processes so the changes can take effect.
Enable Trust on First Use
Before You Begin
• Log into the agent VM console as sln.
Procedure
PurposeCommand or Action
Change directories.cd ~/DLA
Example:
Step 1
user@host:~$ cd ~/DLA
Run the administrator script../dla_admin
Example:
Step 2
user@host:~/DLA$ ./dla_admin
Enter the Certificate and trust management menu.4) Certificate and trust management
Example:
Step 3
Enter a number: 4
Enter the Certificate Pinning menu.1) Manage Certificate Pinning
Example:
Step 4
Enter a number: 1
41
PurposeCommand or Action
Enable TOFU, to trust the controller certificate thefirst time it is detected.
1) Enable Trust SCA Certificate on First Use
Example:
Step 5
Enter a number: 1
What to Do Next
• Store the host ISR's login information on the agent, as described in Storing ISR Authentication Information, on page 42.
Storing ISR Authentication Information
Provide the agent a login and password for the host ISR, to ensure proper communication between the agent and ISR.
Before You Begin
• Log into the agent VM console, run the agent administrator script, and return to the Top Level menu.
Procedure
PurposeCommand or Action
Access the PasswordManagement menu options.5) Password management
Example:
Step 1
Enter a number: 5
Update the stored host router login and passwordinformation.
1) Change router credentials
Example:
Step 2
Enter a number: 1
Update the stored host router login and passwordinformation.
Enter an ISR username and password, then confirm the passwordwhen prompted.
Example:Network Element Username: <router-username>Network Element Password: <router-username-password>
Step 3
Re-enter Network Element Password:<router-username-password>
What to Do Next
• Restart the agent processes, as described in Restarting Agent Processes, on page 43.
42
Restarting Agent Processes
Before You Begin
• Log into the agent VM console, run the agent administrator script, and return to the Top Level menu.
Procedure
PurposeCommand or Action
Access the process management menu options.3) DLA process management
Example:
Step 1
Enter a number: 3
Restart the agent processes.4) Restart DLA processes, then y to confirm
Example:Enter a number: 4Proceed with DLA restart? [confirm] y
Step 2
What to Do Next
• Update the controller configuration file, as described in Updating the Controller Configuration, on page 43.
Controller Certificate ManagementModify the controller configuration file to update certificate management settings. You can enable the controller to use self-signedagent certificates, and enable TOFU. After this, restart the controller processes.
Updating the Controller Configuration
The sca.conf configuration file contains several layers of nested brackets. When you update the file to add or update the dla node,make sure that you nest it within the sln bracket. See the following for an example.sln {dla {security {allowSelfSignedCert = truetrustCertOnFirstUse = truecertRollover = true
}}
}You can also reference ~/SCA/sample_sca.conf for an example of syntax.
Before You Begin
• Log into the controller VM console.
43
Procedure
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Edit the sca.conf configuration file.sudo vi sca.conf, then input your password whenprompted
Step 2
Example:user@host:~/SCA$ sudo vi sca.conf
Update the configuration file to includeallowSelfSignedCert = true, trustCertOnFirstUse= true, and certRollover = true.
Update the configuration file to include or modify theconfiguration.
Step 3
Save your changes and exit the editor.Press Esc, then enter :wq! and press Enter.Step 4
What to Do Next
• Restart the controller's processes, as described in the next section.
Restarting Controller Processes
Before You Begin
• Log into the controller VM console.
Procedure
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Restart the controller processes.sudo service ciscosln-sca restart
Example:
Step 2
user@host:~/SCA$ sudo service ciscosln-sca restart
What to Do Next
• Manage your agents with the controller, as described in the next section.
44
Smart Licensing OverviewTo deploy the Learning Network License, youmust register your controller with Cisco Smart Licensing. If you do not, your deploymententers Evaluation Mode, a 90-day trial which limits you to a maximum of 10 managed agents, and disables new functionality whenthe 90 days expire.
Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses,Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needsat a glance.
In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent and purchase the license later.This allows you to deploy and use an agent, and avoid delays due to purchase order approval.
Logging into the Controller Web UI
When you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account(admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must changethe password and confirm the new password.
Procedure
In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and passwordwhen prompted.
Registering the Controller Instance
Before You Begin
• Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).
• Log into the controller web UI.
Procedure
Step 1 Select Dashboard.Step 2 Click Smart Licensing.Step 3 Click Register.Step 4 Paste your registration token into the Smart Software Licensing Product Registration field.Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it is
already registered.Step 6 Click Register.
45
Restarting the Controller Processes
Procedure
PurposeCommand or Action
Change to the /SCA directory.cd ~/SCA
Example:
Step 1
user@host:~$ cd ~/SCA
Restart the controller processes.sudo service ciscosln-sca restart
Example:
Step 2
user@host:~/SCA$ sudo service ciscosln-sca restart
Controller Management of AgentsAfter you trust public key certificates on both the agent and controller, manage your agents with your controller. You can log intothe controller web UI to add each agent.
Interface Configuration
When you configure a Network Element's interface, select a traffic direction, whether you want to enable mitigations on the interface,and whether you want to enable packet buffer capture (PBC) or deep packet inspection (DPI).
Subinterface configuration of PBC/DPI is not supported on 4000 Series ISRs.Note
Interface Traffic DirectionThe Direction you select for an interface determines how the agent tracks traffic origin from within or outside the branch, populatesclusters, and models traffic to identify anomalies. Label each interface based on the following guidelines:
• An Internal interface faces the branch and branch hosts. The system applies Learning Network License-related NetFlow onthis interface.
• An External interface faces the core. This interface passes traffic outside the branch, including other branches, headquarters,or the Internet.
• An Unconfigured interface does not qualify as either Internal or External. It is unused, or there is a reason you do not wantto monitor the traffic over this interface.
An agent monitors traffic, and creates clusters of hosts with similar characteristics. The agent clusters external hosts, those residingon External interfaces, separately from internal hosts, those residing on Internal interfaces. Traffic between clusters is monitoredfor anomaly detection.
The agent monitors traffic to or from branch hosts. All traffic to or from an Internal interface, which represents the branch hosttraffic, is modeled for anomaly detection purposes. Traffic that does not involve an Internal interface is not modeled. See the followingtable for more information.
46
Table 12: Interface Direction and Modeled Traffic
...to an Unconfiguredinterface...
...to an External interface......to an Internal interface...
...is modeled and inspected foranomalous traffic.
...is modeled and inspected foranomalous traffic.
...is modeled and inspected foranomalous traffic.
Traffic from an Internalinterface...
...is notmodeled and inspectedfor anomalous traffic.
...is notmodeled and inspectedfor anomalous traffic.
...is modeled and inspected foranomalous traffic.
Traffic from an Externalinterface...
...is notmodeled and inspectedfor anomalous traffic.
...is notmodeled and inspectedfor anomalous traffic.
...is modeled and inspected foranomalous traffic.
Traffic from anUnconfigured interface...
Enable MitigationYou can enable mitigation on Ethernet interfaces and most tunnel interfaces. The system does not support enabling mitigation ontunnel interfaces with multipoint GRE (mGRE) enabled.
Cisco recommends you enable mitigation on all enabled and supported interfaces, regardless of traffic direction. This providesmaximum protection if the agent detects an anomaly, and you want to install a QoS policy on the Network Element to prevent theanomaly from being forwarded. If you configure a mitigation tailored to this anomalous traffic, the system installs the correspondingQoS policy on all Network Element interfaces on which you enabled mitigation.
By default, the system checks the Enable Mitigation checkbox for all Ethernet and non-mGRE tunnelinterfaces.
Note
If your router interface has subinterfaces, and already has a quality of service (QoS) policy installed at the parent interface level, youcan only enable mitigation policies at the parent level for that interface family. Similarly, if the subinterfaces have a QoS policyinstalled, you can only enable mitigation policies at the subinterface level for that interface family. If you enable a mitigation on asubinterface, the system automatically enables the mitigation on all sibling subinterfaces.
If the interface family does not have a QoS policy installed, you can install a mitigation at the parent interface or subinterface level.Once you configure a mitigation for a parent interface or a subinterface, however, you can only subsequently create mitigations atthat level for the interface family.
Enable PBC/DPIYou can enable PBC or DPI on any interface with the word Ethernet in its name, with the following exceptions:
• You can only enable PBC or DPI on a G2 ISR interface if you did not configure it to export IP traffic (ip traffic-export).If you configured IP traffic export on the interface, remove the configuration from the interface before enabling PBC and DPI.
• You can only enable PBC or DPI on a 4000 Series ISR parent interface.
This allows you to capture and download PCAP files, or capture DNS query information from traffic.
On a G2 ISR, if you enable PBC or DPI on a parent interface, the system also enables it for allsub-interfaces. Similarly, if you enable PBC or DPI on a G2 ISR sub-interface, the system also enables itfor the parent interface and all sibling subinterfaces.
Note
47
Adding an Agent to the Controller
Before You Begin
• See Interface Configuration, on page 46 for information on configuring your agents.
Procedure
Step 1 Select AGENTS.Step 2 Click Add an Agent.Step 3 Enter the agent eth0 IP address in the Agent IP or hostname field, and an optional Description.Step 4 Click Submit.Step 5 Enter the ucs.../0 interface IPv4 address in the Network Element IP field. This IP address must be reachable by the
controller.Step 6 Click Submit.Step 7 For an interface, choose from the Direction drop-down:
• Internal if the interface faces the branch (generally, if NetFlow is configured on the interface)
• External if the interface faces the core (generally, if the interface is passing traffic)
• Unconfigured if you interface is unused, or the interface faces neither the branch nor the core
Step 8 Check the Enable mitigation checkbox to apply mitigation actions to this interface.Step 9 If you want to capture raw packet data and send it from the network element to the agent, take the following steps:
• Check Enable PBC/DPI on one or more interfaces to enable raw packet capture.
• Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the networkelement passes raw packets to the agent
• Select an agent interface from the Raw Packet Rx Interface (on Agent) drop-down on which the agent receivesraw packets from the network element.
Step 10 If you want to enable the packet buffer capture (PBC) feature, check Enable PBC. You must enable capturing raw packetdata.
Step 11 If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data.Step 12 Click Submit.
What to Do Next
• Allow the system time to perform the initial learning phase, as described in Initial Learning Phase Overview, on page 48.
Initial Learning Phase OverviewAfter you manage your agents with the controller, allow the system to run for seven days, inspect your network traffic, and build abaseline traffic model.
48
The Learning Network License system identifies anomalies by comparing detected traffic to the baseline model, and noting deviations.After system deployment, each agent inspects traffic traversing the router. During this initial learning phase, the agent builds a baselinetraffic model. The model includes dynamically-generated clusters of hosts, and what types of application traffic are transmittedbetween clusters at what times of day.
If you log into the controller web UI while the system is learning about your network, you may see very few or no reported anomalies,as the system cannot compare against a baseline yet. Towards the end of the initial learning phase, the system may start reportinganomalies, but without a complete baseline, these anomalies may not be relevant. After the initial learning phase, when each agentcompletes its baseline model, the system can properly identify anomalous traffic that deviates from the baseline.
For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.
Next StepsAfter you deploy the Learning Network License system, you can perform the following:
• Configure audit and event logging. See theCisco Stealthwatch Learning Network License UCS E-Series Blade Server InstallationGuide for more information.
• Integrate with an Identity Services Engine (ISE) server by configuring pxGrid integration. See the Cisco Stealthwatch LearningNetwork License UCS E-Series Blade Server Installation Guide for more information.
• Log into the controller web UI to configure user display settings, view anomalies and assign relevance feedback, configuremitigations for an anomaly, and configure external system integration. See the Cisco Stealthwatch Learning Network LicenseConfiguration Guide for more information.
For AssistanceThank you for using Cisco products.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gatheringadditional information about the Firepower System, seeWhat’s New in Cisco Product Documentation at http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe toWhat’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSSfeed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions or require assistance with the Cisco Stealthwatch Learning Network License system, please contact CiscoSupport:
• Visit the Cisco Support site at http://support.cisco.com.
• Email Cisco Support at [email protected].
• Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.
49
Europe HeadquartersAsia Pacific HeadquartersAmericas HeadquartersCisco Systems International BVAmsterdam, The Netherlands
Cisco Systems (USA) Pte. Ltd.Singapore
Cisco Systems, Inc.San Jose, CA 95134-1706USA
Cisco has more than 200 offices worldwide. Addresses, phone numbers, and fax numbers are listed on theCisco Website at www.cisco.com/go/offices.