cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6422
Views
5
Helpful
5
Replies

Stealthwatch Cloud PNM sizing and deployment

Madura Malwatte
Level 4
Level 4

Hi All,

I have some questions about Stealthwatch Cloud Private Network Monitoring deployment and sizing.

  1. For the on-premise PNM deployment, how many cloud sensor virtual appliances do I actually need for my network? How do I determine the number required?
  2. Is there a sizing and scaling document for PNM cloud sensor virtual appliance?
  3. What if the virtual appliance fails? I assume I would need to use separate UDP directors for HA, then have at least 2 cloud sensor virtual appliances? Does this mean I am doubling the flow data sent from the identical replicated flows received by the cloud sensors to the SW cloud?
  4. The cloud sensor performance whitepaper indicates capability for a VM with 4vCPU/32GB mem/32GB disk to do 523,000 FPS, is this correct? For SW enterprise the Flow Collector VE with similar specs can do 22,500 FPS only?
  5. How many exporters does the cloud sensor virtual appliance support?
  6. Can a UDP directors be used with the Stealthwatch Cloud PNM deployment?
  7.  Is there an ordering guide for Stealthwatch cloud? Example I couldn't find any info about the ST-CL-PNM license. Does this mean with this license an endpoint with AnyConnect NVM can be used to send flow data directly to the SW Cloud when off-network? What about when the endpoint is on-network, wouldn't we be doubling the data sent (both by endpoint and switch/router configured as netflow exporter to PNM virtual appliance)? Or does this license tell us how many IP addresses will be licensed for support by SW cloud?
5 Replies 5

Madura Malwatte
Level 4
Level 4

bump

aligarci
Cisco Employee
Cisco Employee

Hello Madura Malwatte,

 

Regarding your questions:

1. For the on-premise PNM deployment, how many cloud sensor virtual appliances do I actually need for my network? How do I determine the number required?

It should be only one, unless they are subnets that they don't communicate with each other, in which case you need one sensor in each isolated subnet. Also, you need to actually determine the number of sensors based on the amount of traffic in your network. The amount of flow records per second and packet rate that a sensor can take is:
https://www.cisco.com/c/dam/en/us/products/collateral/security/stealthwatch-cloud/sw-cloud-sensor-performance-wp.pdf
Please notice that you can ingest on one sensor (now called Secure Network Analytics SaaS Adapter) both types of telemmetry (flow data and raw packets through port mirroring). It's required to have at least one network interface for control and flow data, and one or more additional interfaces for mirroring raw packets.


2. Is there a sizing and scaling document for PNM cloud sensor virtual appliance?
https://www.cisco.com/c/dam/en/us/products/collateral/security/stealthwatch-cloud/sw-cloud-sensor-performance-wp.pdf


3. What if the virtual appliance fails? I assume I would need to use separate UDP directors for HA, then have at least 2 cloud sensor virtual appliances? Does this mean I am doubling the flow data sent from the identical replicated flows received by the cloud sensors to the SW cloud?

Unless you need the UDP director for other use cases, if you just need to send data to Secure Cloud Analytics, you can skip having a UDP director in your network and just install a Secure Network Analytics SaaS Adapter.

 

If you are having duplicated Secure Network Analytics SaaS Adapters, the flow will be sent twice to Secure Cloud Analytics portal. It is not possible to drop duplicated flows, so you will see them doubled in the portal. If the "same" flow is represented multiple times to a single Secure Network Analytics SaaS Adapter (like for example having duplicate UDP directors, sending flow to the same Secure Network Analytics SaaS Adapter), then there's a deduplication/uniqueness step.

 

If the Secure Network Analytics SaaS Adapter or UDP director fails, you can replace it of fix it, we don't recommend having a hot standby, but if this a requirement in your deployment, of course you can have two.

 

4. The cloud sensor performance whitepaper indicates capability for a VM with 4vCPU/32GB mem/32GB disk to do 523,000 FPS, is this correct? For SW enterprise the Flow Collector VE with similar specs can do 22,500 FPS only?

That's correct

 

5. How many exporters does the cloud sensor virtual appliance support?

There's no limit

 

6. Can a UDP directors be used with the Stealthwatch Cloud PNM deployment?

Yes

 

7. Is there an ordering guide for Stealthwatch cloud? Example I couldn't find any info about the ST-CL-PNM license. Does this mean with this license an endpoint with AnyConnect NVM can be used to send flow data directly to the SW Cloud when off-network? What about when the endpoint is on-network, wouldn't we be doubling the data sent (both by endpoint and switch/router configured as netflow exporter to PNM virtual appliance)? Or does this license tell us how many IP addresses will be licensed for support by SW cloud?

We cannot send NVM data from AnyConnect to Secure Cloud Analytics, as AnyConnect uses special IPFIX fields that theSecure Network Analytics SaaS Adapter doesn't recognise as normal traffic

 

This is the ordering guide, for both Secure Cloud Analytics and Secure Network Analytics:
https://www.cisco.com/c/dam/en/us/products/collateral/security/stealthwatch/guide-c07-738299.pdf

 

The PNM license is for the number of endpoints (average number of active IPs) that are monitored bySecure Cloud Analytics. Secure Cloud Analytics only collects data from devices on-network today.

TNSC2021
Level 1
Level 1

How does one configure a UDP director to send telemetry to Secure Cloud Analytics?

UDP director can send flows to the PNM Sensor, same is if it was a network device that sending flows to the PNM. Refer to the UDP director configuration guide specifically the rules section.

Just don't try to use it to send AnyConnect NVM flows though as they are not supported at this time.