11-20-2018 12:36 AM
Hi we are looking at purchasing StealthWatch for VMware and to get started I need some clarification on what part numbers and how many per part.
Cisco Stealthwatch Enterprise Data Sheet
https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/datasheet-c78-739398.html
For just the VMware appliance do I only need the following part numbers:
Cisco Stealthwatch Flow Collector Virtual Edition
L-ST-FC-VE-K9
Cisco Stealthwatch Management Console Virtual Edition
L-ST-SMC-VE-K9
Cisco Stealthwatch Flow Sensor, Virtual Edition
L-ST-FS-VE-K9
Would I just need one of each of the above? Can I just get away with 1 flow connector and 1 Management console?
Thanks,
Dan
Solved! Go to Solution.
11-25-2018 06:54 AM
Dan,
Start with just one Management Console (SMC) and one Flow Collector (FC).
Configure NetFlow v9 on all of your routers to export to the IP of the Flow Collector.
This will give you visibility into traffic moving across your WAN.
If you have a Internet connection to an Internet Service Provider at one of these sites you will probably want to understand flows to and from the Internet. You can do that three different ways. #1 - Some Firewalls can export their NAT translations via Syslog to the Flow Collector. Stealthwatch can process those logs from Cisco and Palo Alto Firewalls. #2 - If you have a proxy server (Squid, Blue Coat, Cisco, or McAfee) you can also send those proxy logs to the Flow Collector. #3 - You can install a Flow Sensor with interfaces on either side of the Firewall and export IPFIX from the FS to the Flow Collector.
I would start with this.
The layer 2 switches sound like access devices attached to the router (collapsed bypassing the need for an aggregation layer). If you have aggregation L3 switches at any site you can also export NetFlow from those.
Hope this helps.
Brian
11-20-2018 04:18 AM
Depends on what you looking for to deploy in the network.
I suggest to have all 3 for better robust solution.
Optional Components of the System
Flow Sensor
More features can be found here.
https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/datasheet-c78-739398.html
11-20-2018 05:07 PM
Thank you Balaji...we have a 5 site WAN with up to 10,000 wireless clients and about 3,000 wired clients. At each of the 5 campuses we have about 8 IDF's with about 4 CIsco Layer 2 network switches in each closet.
I see that the SMC will from up to 25 Flow Collectors. Do we have to purchase 25 flow collectors or to we purchase one Part number: L-ST-FC-VE-K9 and that can be configured for say the FCVE-1000.
"The Stealthwatch Management Console aggregates, organizes, and presents analysis from up to 25 Flow Collectors, the Cisco Identity Services Engine, and other sources"
Thanks,
Dan
11-25-2018 06:54 AM
Dan,
Start with just one Management Console (SMC) and one Flow Collector (FC).
Configure NetFlow v9 on all of your routers to export to the IP of the Flow Collector.
This will give you visibility into traffic moving across your WAN.
If you have a Internet connection to an Internet Service Provider at one of these sites you will probably want to understand flows to and from the Internet. You can do that three different ways. #1 - Some Firewalls can export their NAT translations via Syslog to the Flow Collector. Stealthwatch can process those logs from Cisco and Palo Alto Firewalls. #2 - If you have a proxy server (Squid, Blue Coat, Cisco, or McAfee) you can also send those proxy logs to the Flow Collector. #3 - You can install a Flow Sensor with interfaces on either side of the Firewall and export IPFIX from the FS to the Flow Collector.
I would start with this.
The layer 2 switches sound like access devices attached to the router (collapsed bypassing the need for an aggregation layer). If you have aggregation L3 switches at any site you can also export NetFlow from those.
Hope this helps.
Brian
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: