cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3770
Views
20
Helpful
3
Replies

Stealthwatch need VMware licensing and which one?

dan hale
Level 3
Level 3

Hi we are looking at purchasing StealthWatch for VMware and to get started I need some clarification on what part numbers and how many per part. 

 

Cisco Stealthwatch Enterprise Data Sheet

https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/datasheet-c78-739398.html

 

For just the VMware appliance do I only need the following part numbers:

 

Cisco Stealthwatch Flow Collector Virtual Edition
L-ST-FC-VE-K9

Cisco Stealthwatch Management Console Virtual Edition
L-ST-SMC-VE-K9

Cisco Stealthwatch Flow Sensor, Virtual Edition
L-ST-FS-VE-K9

 

Would I just need one of each of the above? Can I just get away with 1 flow connector and 1 Management console?

 

Thanks,

Dan

1 Accepted Solution

Accepted Solutions

Dan,

 

Start with just one Management Console (SMC) and one Flow Collector (FC).

 

Configure NetFlow v9 on all of your routers to export to the IP of the Flow Collector.

 

 

This will give you visibility into traffic moving across your WAN.

 

If you have a Internet connection to an Internet Service Provider at one of these sites you will probably want to understand flows to and from the Internet.  You can do that three different ways.  #1 - Some Firewalls can export their NAT translations via Syslog to the Flow Collector.  Stealthwatch can process those logs from Cisco and Palo Alto Firewalls.  #2 - If you have a proxy server (Squid, Blue Coat, Cisco, or McAfee) you can also send those proxy logs to the Flow Collector. #3 - You can install a Flow Sensor with interfaces on either side of the Firewall and export IPFIX from the FS to the Flow Collector.

 

I would start with this.  

 

The layer 2 switches sound like access devices attached to the router (collapsed bypassing the need for an aggregation layer).  If you have aggregation L3 switches at any site you can also export NetFlow from those.

 

Hope this helps.

 

Brian

 

 

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

View solution in original post

3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

Depends on what you looking for to deploy in the network.

I suggest to have all 3 for better robust solution.

 

Optional Components of the System

Flow Sensor

 

More features can be found here.

https://www.cisco.com/c/en/us/products/collateral/security/stealthwatch/datasheet-c78-739398.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Thank you Balaji...we have a 5 site WAN with up to 10,000 wireless clients and about 3,000 wired clients. At each of the 5 campuses we have about 8 IDF's with about 4 CIsco Layer 2 network switches in each closet.

 

I see that the SMC will from up to 25 Flow Collectors. Do we have to purchase 25 flow collectors or to we purchase one Part number: L-ST-FC-VE-K9 and that can be configured for say the FCVE-1000.

 

"The Stealthwatch Management Console aggregates, organizes, and presents analysis from up to 25 Flow Collectors, the Cisco Identity Services Engine, and other sources"

 

Thanks,

Dan

 

Dan,

 

Start with just one Management Console (SMC) and one Flow Collector (FC).

 

Configure NetFlow v9 on all of your routers to export to the IP of the Flow Collector.

 

 

This will give you visibility into traffic moving across your WAN.

 

If you have a Internet connection to an Internet Service Provider at one of these sites you will probably want to understand flows to and from the Internet.  You can do that three different ways.  #1 - Some Firewalls can export their NAT translations via Syslog to the Flow Collector.  Stealthwatch can process those logs from Cisco and Palo Alto Firewalls.  #2 - If you have a proxy server (Squid, Blue Coat, Cisco, or McAfee) you can also send those proxy logs to the Flow Collector. #3 - You can install a Flow Sensor with interfaces on either side of the Firewall and export IPFIX from the FS to the Flow Collector.

 

I would start with this.  

 

The layer 2 switches sound like access devices attached to the router (collapsed bypassing the need for an aggregation layer).  If you have aggregation L3 switches at any site you can also export NetFlow from those.

 

Hope this helps.

 

Brian

 

 

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: