https://community.cisco.com/t5/security-analytics/stealthwatch-architecture-question/m-p/3820407#M154 <P>I am looking at architecture options for Stealthwatch 7.0</P> <P>&nbsp;</P> <P>We are looking a deploying virtual SMC and flow collectors.</P> <P>&nbsp;</P> <P>If we have multiple data centers - is it supported to have a "primary" SMC and Flow Collector one data center - and a "secondary" SMC and Flow Collector at a backup data center?</P> <P>&nbsp;</P> <P>If so - do I need a UDP director to send flow records to both flow collectors?&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advance for the help.</P> <P>&nbsp;</P> <P>Bob</P> <P>&nbsp;</P> <P>I</P> Fri, 15 Mar 2019 20:12:13 GMT reheindel 2019-03-15T20:12:13Z https://community.cisco.com/t5/security-analytics/stealthwatch-architecture-question/m-p/3820407#M154 <P>I am looking at architecture options for Stealthwatch 7.0</P> <P>&nbsp;</P> <P>We are looking a deploying virtual SMC and flow collectors.</P> <P>&nbsp;</P> <P>If we have multiple data centers - is it supported to have a "primary" SMC and Flow Collector one data center - and a "secondary" SMC and Flow Collector at a backup data center?</P> <P>&nbsp;</P> <P>If so - do I need a UDP director to send flow records to both flow collectors?&nbsp;</P> <P>&nbsp;</P> <P>Thanks in advance for the help.</P> <P>&nbsp;</P> <P>Bob</P> <P>&nbsp;</P> <P>I</P> Fri, 15 Mar 2019 20:12:13 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-architecture-question/m-p/3820407#M154 reheindel 2019-03-15T20:12:13Z https://community.cisco.com/t5/security-analytics/stealthwatch-architecture-question/m-p/3823917#M155 <P>Bob,</P> <P>&nbsp;</P> <P>Yes.&nbsp; I suggest that any telemetry you send to the primary Flow Collector you use UDP Director to duplicate that at the secondary Flow Collector.&nbsp; UDP Director is the best way to do that rather than exporting flow to each Flow collector from each exporter.</P> <P>&nbsp;</P> <P>I would assume the back up data center has it's own Internet connection.&nbsp; Send those network translation (NAT) logs to the secondary; not the primary.</P> <P>&nbsp;</P> <P>If you enable Cognitive Intelligence make sure that you only send from the primary flow collector.&nbsp; You can add the second flow collector to your account but only enable that when the primary in down.</P> <P>&nbsp;</P> <P>You should be able to login to the Stealthwatch SMC at the backup facility and see just the traffic from the at site.</P> <P>&nbsp;</P> <P>The SMC at the backup site will not be secondary.&nbsp; Primary - secondary is used when you have 2 SMCs working with the same Flow Collector.&nbsp; The primary will be admin for that deployment (where admin can make config changes) and the secondary will be useful for any other (than admin) user.&nbsp; It allows the Stealthwatch UI to scale up.</P> <P>&nbsp;</P> <P>Hope this helps!</P> <P>&nbsp;</P> <P>Brian</P> Thu, 21 Mar 2019 18:18:23 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-architecture-question/m-p/3823917#M155 brford 2019-03-21T18:18:23Z https://community.cisco.com/t5/security-analytics/stealthwatch-architecture-question/m-p/3828493#M156 <P>Excellent, thanks very much for the detailed response Brian!</P><P>&nbsp;</P><P>Regards,</P><P>Bob</P> Thu, 28 Mar 2019 20:30:52 GMT https://community.cisco.com/t5/security-analytics/stealthwatch-architecture-question/m-p/3828493#M156 reheindel 2019-03-28T20:30:52Z