Install Script Diagram
An agent may be installed as a virtual-service (container) in an ISR 44xx router by running the installation_auto.py install and upgrade script. The script issues configuration commands on the router and the newly-created agent. It also adds the agent to the controller, so the user can issue further configuration changes from the controller web UI.
The script references the install.yaml properties file. The following diagram tracks the various properties in the deployment process.
Figure 4. ISR and Agent Deployed as a Virtual Service
The arrow labeled copy (scp) demonstrates the install script copying the agent .ova file from a network location of your choice to the Network Element (44xx router). In this example, the script copies the file from the deployed controller using the SCP protocol to the ISR.
For all commands issued to the ISR, the script uses the configured credentials (ne_username, ne_password) to connect to the network element (ne_ctl_ip).
The following properties control how the script copies the file:
src_host - the network location where the agent .ova file is copied from
src_username - username used by the script to log into this network location
src_password - password used by src_username
src_ova_path - filepath and filename on the host where the agent .ova file is located
dst_store - whether the script copies the .ova file to the branch router harddisk or bootflash
Cisco recommends you define the controller as the source host, upload the .ova to the controller, and copy the file to all branch routers.
Agent Virtual Service Creation
The center of the diagram shows the commands the script uses to create, install, and activate the agent as a virtual-service (container), and references the properties file to apply values to the variables.
The script creates the virtual-service with two virtual interfaces, using the interface VirtualPortGroup commands:
ctl/mgmt - The control and management interface, used for agent/controller communication, to install mitigation policies on the router, and to receive NetFlow records from the router. This is VirtualPortGroup 1 on the router, and eth0 on the agent.
The script configures the ctl/mgmt interface without an IP address, (using ip unnumbered), referencing the name of a router interface (parent-if-name) whose IP address is reachable by the controller.
The script also configures an ip route on the agent with a routable IP address (dla_ctl_ip) so the router forwards packets from the controller to the agent over the ctl/mgmt interface.
Note that you configure credentials for the agent to log into the router (dla_ne_login: username, dla_ne_login, password), to install mitigation policies, and collect information from the router.
data xfer - The data transfer interface, used to send raw packet data from the router to the agent, when packet buffer capture (PBC) or DNS deep packet inspection (DNS/DPI) are enabled. This is VirtualPortGroup 2 on the router, and eth1 on the agent.
The script configures the data xfer interface with a private IP address (ne_ip) and netmask (ne_mask), since traffic across this interface never leaves the router.
After configuring the virtual interfaces, the script issues commands (virtual-service, vnic) to create the virtual-service named sln with two virtual interfaces reachable by the VirtualPortGroup 1 and VirtualPortGroup 2 interfaces on the router.
The script then issues an install command to install the agent .ova into the virtual service, then an activate command to activate the virtual service.
Finally, the script issues the connect command to log into the virtual service console to configure the following:
the agent hostname (dla_hostname) and default gateway (dla_ctl_gw)
the eth0 interface with a routable IP address (dla_ctl_ip) and netmask (dla_ctl_mask). The controller must be able to reach this address.
the eth1 interface with a private IP address (dla_dat_ip) and netmask (dla_dat_mask
Learning Network License NetFlow Configuration
The install script also issues commands to configure Flexible NetFlow (Version 9), as required for Learning Network License. The following diagram illustrates this configuration.
Figure 5. NetFlow Operation on the ISR
The script creates the following:
SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fields to collect
SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent
dla_ctl_ip IP address to send NetFlow data to the agent
SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and output traffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER
The script also issues an interface command for each branch interface (branch-if1-names...) that you configure in the properties file. These branch interfaces are the router interfaces used to reach branch hosts.
Agent Addition to the Controller
The script adds each agent to the controller, if not already added, using the RESTful API. The script logs into the controller using the configured credentials (sca_webui_login: username, sca_webui_login: password). The script uses the agent hostname (dla_hostname) or the IP address (dla_ctl_host_sca) if the agent hostname is not resolvable in DNS.
Each agent is added to the controller as Disabled. You must log into the controller web UI to enable the agent. If you register your deployment with Smart Licensing, enabling the agent also consumes a license entitlement.