cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1914
Views
10
Helpful
6
Replies

Cisco Stealthwatch

felipefom
Level 1
Level 1

Hello gentlemen,

 

Sires, I am configuring a Stealthwatch enterprise, I did install Flow Collector and SMC, as well as I have confirmed the flow of netflow between one of the switches and the appliances, however I still have a doubt about the configuration of netflow.

 

Should I configure it in all the ports of all equipments or there is no need? 

 

Best Regards

6 Replies 6

Hi Rob,

 

Hope your doing well my friend.

 

I apreciate you answer, I actually used both documentations to configure netflow, it is working, I can see the flow in the SMC dashboard, my doubt revolve around the need to configure the input command on all the interfaces, is it necessary?

 

Best Regards

Ok. Normally you'd enable this on an uplink interface, so no it's not usually necessary to configure on each port.

Hi

For netflow configuration use the template builder at https://configurenetflow.info/

In terms of where to enable Netflow there's really no best practice, but alot of considerations.

Stealthwatch is licensed based on Flows Per Second (FPS). Let's say you enable Netflow on switchports facing your servers in the datacenter. This way you get flow data from Device to Device within the Datacenter and from Clients in your campus environment communicating with servers. What you don't get is Client to Client traffic internally in your campus network, and if you enable Netflow on Switchports in your campus environment as well you will essentially have doubled the cost of licensing because traffic going to the datacenter will be picked up twice on it's way from Source to Destination. While the flow collector is able to handle these duplicate flows, it's still at the cost of FPS.

In the ideal world we would enable Netflow on every port from Source to Destination, but that would probably cost a fortune. I usually tend to enable Netflow on ports in the datacenter and then enable it on SVI's within the campus environment. Yes this doubles the amount of licenses, and we don't get flow data from devices communicating within the same VLAN. This is compromise customers are typically willing to take based on cost/benefit. 

Best Regards
Nicolai Borchorst
CCIE Security #65775

Hello Nicolai,

 

I understood sir, thanks for that, the link you mentioned above is really helpfull.

 

May I user your knowledge to aks two more questions?

 

How can I predict or calculate the quantity of flows that are going to be consumed before implementation?

 

The only way possible to view flow consumption is through the Smart Account?

 

Best Regards

There really is no way to determine the necessary amount of Flow Rate Licenses other than doing a PoV and use the average FPS consumed during the period as a guideline. Seeing as you would more or less have to enable Netflow at the exact same points as you would in a production installation, it's really not a PoV anymore is it?

Cisco has a tool to calculate the FPS based on various questions about your environment http://cs.co/StealthwatchFPSEstimator

I personally don't use it and i have heard Cisco folks say not to use it as well.

I believe Cisco use the rule of thumb of 3 - 3,5 x FPS per. active device, but it obviously depends on where you enable netflow and how many times the same flow is picked up. 

The installation i'm doing at the moment were sized for 7500 FPS by Cisco themselvs, this is for roughly 2200 endpoints.

Unfortunately the cost of Stealthwatch is almost impossible to determine exactly without doing a full scope PoV. I personally haven't seen anyone purchase this product unless it was part of an Enterprise Agreement which allows for a 20% over consumption without financial punishment. 

Best Regards
Nicolai Borchorst
CCIE Security #65775
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: