Contents
- Cisco Stealthwatch Learning Network License Quick Start Guide
- Learning Network License Introduction
- Installing the Learning Network License System
- Installation Prerequisites
- Communication Ports
- Learning Network License and Licensing
- Controller Host Requirements
- Controller Installation Prerequisites
- ISR Platform Requirements
- ISR 4000 Series Platform Requirements
- Verifying ISR Platform Requirements
- Example ISR Platform Requirements
- ISR Configuration Prerequisites
- ISR License Installation
- Agent and ISR Interaction
- Agent Installation Prerequisites
- Agent Configuration Prerequisites
- Downloading the OVA Files from Cisco
- Obtaining a File's Checksum from cisco.com
- Controller Deployment
- Deploying the OVA File
- Powering On the Virtual Machine
- Controller Virtual Hard Disk Storage
- Controller Virtual Hard Disk Allocation Expansion
- Editing VM Settings to Increase Virtual Hard Disk Size
- Adding a New Virtual Hard Disk Partition Larger than 2 TB
- Updating the Filesystem for the New Virtual Hard Disk Partition
- Controller Virtual Hard Disk Addition
- Editing VM Settings for a New Hard Disk
- Adding a New Hard Disk
- Updating the Filesystem for the New Hard Disk
- Custom Controller Web UI Certificates
- Uploading a Private Key Password
- Uploading Custom Controller Web UI Certificates
- Configuring the Controller with the Setup Script
- Resetting the Administrator Password
- Disabling Host Time Synchronization
- Logging into the Controller Web UI
- Verifying NTP Configuration on the Controller
- Controller Certificate Management
- Updating the Controller Configuration
- Restarting Controller Processes
- Updating Administrator Credentials
- NTP Configuration
- Configuring NTP on the ISR
- Install Script Overview
- ISR Hardware Configuration
- Install Script Deployment
- Agent Properties File Overview
- Agent Properties File Settings
- Configuring VRF Forwarding on the ISR
- Updating the Agent Properties File
- Install Script Operation
- Install Script Options
- Running the Install Script
- Verifying NTP Configuration on the Agent
- Smart Licensing Overview
- Logging into the Controller Web UI
- Registering the Controller Instance
- Restarting the Controller Processes
- Enabling Agents on the Controller
- Interface Configuration
- Configuring Agent Network Settings
- Initial Learning Phase Overview
- Next Steps
- For Assistance
Cisco Stealthwatch Learning Network License Quick Start Guide
The following details essential information on deploying and configuring your Cisco Stealthwatch Learning Network License system.
Learning Network License Introduction
The Learning Network License system is a hyper-distributed analytics architecture that inspects your network traffic and applies machine learning algorithms to perform a behavioral analysis. As a result, the system can identify anomalous behavior, such as malware, distributed botnets, data exfiltration, and more.
You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies in real-time to the controller for additional system and user analysis. Based on the anomalies, you can provide relevance feedback, which the system incorporates into internal traffic models. This allows the system to better identify and report anomalies of interest.
You can also configure mitigations based on anomaly properties, such as hosts involved and application traffic transferred. These mitigations reduce or eliminate the impact of detected anomalies now and in the future. The combination of behavioral analysis, user feedback, and traffic mitigation customizes the system to address the threats specific to your network and better protect your users.
Installing the Learning Network License System
ProcedureThe following provides a high-level overview to installing the Learning Network License system.
Step 1 Ensure your ISRs support installing the Learning Network License system, and have the proper licenses and hardware. See Installation Prerequisites for more information. Step 2 Deploy a separate ESXi host to run the controller. See Controller Host Requirements for more information. Step 3 Download the agent and controller OVA files at http://www.cisco.com/c/en/us/support/security/ stealthwatch-learning-network-license/tsd-products-support-series-home.html. See Downloading the OVA Files from Cisco for more information. Step 4 Deploy the controller to the ESXi host using vSphere Client. Power on the virtual machine, and log into the controller VM console using the default administrator username (sln) and default administrator password (cisco). See Controller Deployment for more information. Step 5 Run the setup-system setup script from the controller command line. Follow the script prompts to configure the network connection, NTP servers, and generate public key certificates. Verify your NTP configuration from the controller VM console. See Configuring the Controller with the Setup Script and Verifying NTP Configuration on the Controller for more information. Step 6 Update the sca.conf controller configuration file to configure public key certificate management settings, then restart the controller processes. See Updating the Controller Configuration and Restarting Controller Processes for more information. Step 7 Log into the controller web UI with the default administrator login (admin) and the default administrator password (cisco), then update administrator credentials. See Updating Administrator Credentials for more information. Step 8 Configure NTP servers on your ISR. See NTP Configuration for more information. Step 9 From the controller VM console, configure the install.yaml agent install properties file. See Agent Properties File Settings and Updating the Agent Properties File for more information. Step 10 Run the installation_auto.py install and upgrade script from the controller to deploy the agent as a virtual service to an ISR. See Running the Install Script for more information. Step 11 Log into the controller web UI with your updated administrator credentials. Register your controller with Smart Licensing. From the controller VM console, restart the controller's processes. See Registering the Controller Instance and Restarting the Controller Processes for more information. Step 12 From the controller web UI, enable and configure your agents with the controller as described in Enabling Agents on the Controller and Configuring Agent Network Settings. Step 13 Allow the system an initial learning phase to create a baseline model of your network traffic. See Initial Learning Phase Overview for more information.
Installation Prerequisites
When you deploy the Learning Network License system, obtain or configure the following:
open ports for system functionality
an ESXi host for the controller
a Network Element capable of running the agent as a virtual service (container)
the proper licensing for your Network Element
the controller and agent OVA files
Communication Ports
Learning Network License requires several open ports for functionality, to allow communication between the controller and agents, and to allow users to access the controller UI. If a firewall or other security appliance sits between the controller and agents, or between the user and the controller, open these ports.
The following diagram illustrates this system functionality.
Users, such as system administrators, can log into the controller web UI, and SSH login to agents.
The controller sends information, such as mitigations, to the agent, and contacts NTP servers to synchronize time.
The agent sends information, such as anomalies, log files, configuration files, and PCAP files, to the controller, and contacts NTP servers to synchronize time.
The following diagram illustrates the open ports and directionality. See Table 1 for more information on these ports.
Table 1 Default Communication Ports for Learning Network License Features and Operation Port
Description
Direction
Is Open for any...
To...
22/TCP
SSH/SCP
outbound from agent eth0 interface Management IP, inbound to controller IP
IP associated with the controller, Management IP associated with the agent
transfer log files and configuration files
22/TCP
SSH
outbound from host IP, inbound to agent eth0 interface Management IP
host IP that wants to SSH login to the agent
Optionally enable remote access to the agent administrator script when the agent is deployed as a virtual service
22/TCP
SSH
inbound from host IP to controller IP
host IP that wants to SSH login to the controller
optionally enable SSH login to the controller
123/UDP
NTP
outbound from the controller IP to an external NTP server
IP associated with the controller
synchronize time with agents deployed as virtual services
443/TCP
HTTPS
inbound from user IP to controller IP
host IP that wants to access the controller UI
access the controller UI
9091/TCP
TLS
outbound from controller IP to agent eth0 interface Management IP
IP associated with the controller
allow the controller to communicate with the agent
9092/TCP
packet buffer capture (PBC)
outbound from controller IP to agent eth0 interface Management IP
IP associated with the controller
enable PBC
Learning Network License and Licensing
To properly deploy your Learning Network License system, you must obtain the proper IOS Licenses for your ISRs, as well as the proper Smart Licenses for Learning Network License.
To run an agent on an ISR, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) or App (appxk9) IOS license. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating the licenses.
You must also obtain the appropriate Smart License entitlement for each controller and agent you deploy.
Table 2 Smart License Entitlement Types Learning Network License Component
License Entitlement and Description
Associated File Downloads and Description
controller
L-SW-SCA-K9 - SCA Virtual Manager
sln-sca-k9-<ver>.ova - single controller OVA
agent deployed as a virtual service on an ISR 43XX
L-SW-LN-43-1Y-K9 - Cisco Stealthwatch Learning Network License for 4300 Series 1 Yr Term
L-SW-LN-43-3Y-K9 - Cisco Stealthwatch Learning Network License for 4300 Series 3 Yr Term
sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's NIM-SSD
sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's bootflashagent deployed as a virtual service on an ISR 44XX
L-SW-LN-44-1Y-K9 - Cisco Stealthwatch Learning Network License for 4400 Series 1 Yr Term
L-SW-LN-44-3Y-K9 - Cisco Stealthwatch Learning Network License for 4400 Series 3 Yr Term
sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's NIM-SSD
sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's bootflash
Note
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.
For more information on Smart Licensing, see http://www.cisco.com/web/ordering/smart-software-manager/smart-accounts.html.
In addition, you must generate a registration token in the Cisco Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html), then use this to register your controller. Each time you manage and enable an agent with the controller, the controller automatically requests a license entitlement for the agent.
For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager User Guide.
Controller Host Requirements
You can host a controller virtual appliance on a VMware ESXi Version 5.5 hosting environment. You can also enable VMware tools on all supported ESXi versions. For information on the full functionality of VMware Tools, see the VMware website (http://www.VMware.com). For help creating a hosting environment, see the VMware ESXi documentation.
Virtual appliances use Open Virtual Format (OVF) packaging. Cisco provides the controller and agent virtual appliances in Open Virtual Appliance (OVA) format, an archive version of the OVF file.
The computer that serves as the controller ESXi host must meet the following requirements:
It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology (VT) or AMD Virtualization™ (AMD-V™) technology.
Virtualization must be enabled in the BIOS settings.
To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers (such as PRO 1000MT dual port server adapters or PRO 1000GT desktop adapters).
This host must have network connectivity to all Network Elements where you will install your agents.
Users such as administrators and analysts should be able to establish a connection to this host, to access the controller user interface.
For more information, see the VMware website: http://www.vmware.com/resources/guides.html.
Note
Installing the controller on a Network Element is not supported.
Controller Installation Prerequisites
Controller Download
Cisco provides the controller as an OVA file: sln-sca-k9-<ver>.ova. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
Note
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.
You must also download and install the latest version of VMware vSphere Client to install the virtual machine. Cisco recommends you also download and install VMware ESXi version 5.5 to run the virtual machine. Download the files at https://my.vmware.com/web/vmware/downloads.
Controller Virtual Appliance Settings
Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on the ESXi host. Do not decrease the default settings, as they are the minimum required to run the system software. The following table lists the default settings.
Table 3 Default Controller Virtual Appliance Settings Setting
Default
memory
24576 MB (24 GB)
virtual CPUs (vCPU)
4
virtual NICs
hard disk provisioned size
200 GB
When you start the VM, the controller determines the amount of physical RAM available, and updates the configuration to allow use of up to half of that RAM.
Cisco recommends you increase VM settings, depending on the size of your Learning Network License deployment. See the following table for recommendations.
Table 4 Recommended Controller VM Settings Learning Network License Deployment Size
Recommended VM Settings
1 to 50 agents
24576 MB (24 GB) of RAM
8 vCPU
400 GB of hard disk provisioned size
51 to 1000 agents
65536 MB (64 GB) of RAM
16 vCPU
4 TB of hard disk provisioned size
Note
The number of vCPUs is determined by multiplying the number of virtual sockets by the number of cores per socket.
If you increase the memory, number of vCPUs and cores/socket (default is 4), or the hard disk size, see http://www.vmware.com/ for more information and best practices.
Information Needed During Installation
When you run the setup script, provide the following information to configure the controller:
Table 5 Controller Installation Settings Setting
Description
eth0 interface IPv4 address, netmask, and gateway
transfer management traffic with agent, and provide access to controller web UI
eth0 interface hostname
hostname for the controller
eth0 interface DNS servers and DNS search suffixes
DNS context for anomalies
NTP server IPv4 addresses
synchronize time in Learning Network License system
The setup script allows you the option of generating self-signed certificates. If you generate a certificate for the controller web UI server, you can define the following subject distinguished name components:
Table 6 Self-Signed Certificate Subject Distinguished Name Options Option
Description
Country Name
A two-letter ISO 3166-1 country code
State or Province Name
Full name of the state or province where your organization is located
Locality Name
The city where your organization is located
Organization Name
Your organization's name
Organizational Unit Name
Your organization's division's name
Common Name
A host and domain name associated with the certificate
Email Address
A contact email address
Learning Network License requires a server certificate to encrypt controller/agent communications, and a server certificate to encrypt user connections to the controller web user interface.
ISR Platform Requirements
Several 4000 Series ISRs support hosting an agent in a service container. You can optionally install a solid state drive (SSD) carrier and SSD network interface module (NIM-SSD) for the agent. For more information on the 4000 Series ISRs, see http://www.cisco.com/c/en/us/td/docs/routers/access/4400/roadmap/isr4400roadmap.html.
ISR 4000 Series Platform Requirements
Table 7 ISR 4000 Series Platform Requirements ISR Component
Required
Model
Cisco 4331
Cisco 4351
Cisco 4431
Cisco 4451
Control Plane DRAM
8192 MB (8 GB)
Disk Storage for Service Container Hosting
If you deploy your virtual service to bootflash, no additional equipment is required.
If you want to deploy your virtual service to a hard disk, to achieve much larger storage capacities, you must install:
NIM-SSD(=) - NIM carrier card for SSD drives
SSD-SATA-200G(=) - 200 GB SATA solid state disk for NIM-SSD, 155 GB free
See Agent Installation Prerequisites for more information.
Complex Programmable Logic Device
Version 15010638 or greater
Image
IOS-XE Release 15.4(3)S1 through 15.5(3)Sx
Note IOS-XE Release 15.4(3)S2 and prior do not support deploying a virtual service to bootflash. You must deploy a virtual service to a NIM-SSD for these releases, or upgrade to Release 15.5(3)S to deploy the virtual service to bootflash.
NBAR2 Protocol Pack
Version 15.0.0 or greater (IOS-XE 15.4(3)S1 through 15.5(3)S)
Version 17.0.0 or greater (IOS-XE 15.5(3)S, rebuild 2 or greater
Licenses
Cisco 4331:
SL-4330-IPB-K9 - IP Base license, and
SL-4330-APP-K9 - AppX license
Cisco 4351:
SL-4350-IPB-K9 - IP Base license, and
SL-4350-APP-K9 - AppX license
Cisco 44XX:
See http://www.cisco.com/c/en/us/products/collateral/routers/4000-series-integrated-services-routers-isr/guide-c07-732797.html#_Toc424288435 for more information.
Verifying ISR Platform Requirements
Before You BeginProcedure
Log into the ISR console.
Command or Action Purpose
Step 1 enable
Example:Router> enableEnable privileged EXEC mode.
Step 2 show version
Example:Router# show versionShow version information, including image version, installed ISR licenses, and control plane DRAM.
Step 3 show platform
Example:Router# show platformShow the Complex Programmable Logic Device version.
Step 4 show ip nbar protocol-pack active
Example:Router# show ip nbar protocol-pack activeShow the NBAR2 protocol pack version.
Step 5 exit
Example:Router# exitExit privileged EXEC mode.
Example ISR Platform Requirements
Issuing the show version command to your ISR allows you to view your image version, installed licenses, and the total control plane DRAM on the ISR. These are italicized below. Note that appxk9 corresponds to the AppX license, and ipbasek9 corresponds to the IP Base license.
Router> enable Router# show version Cisco IOS XE Software, Version 2016-05-16_22.05.paj Cisco IO Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)s2, RELEASE SOFTWARE (fc2) ... Technology Package License Information: ––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––- Technology Technology-package Technology-package Current Type Next reboot –––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-- appxk9 appxk9 RightToUse appxk9 [AppX license] uck9 None None None securityk9 None None None ipbase ipbasek9 Permanent ipbasek9 [IP Base license] cisco ISR4431/K9 (1RU) processor with 7799569K/6147K bytes of memory. ...Issuing the show platform command to your ISR allows you to view the Complex Programmable Logic Device (CPLD) version, italicized below.
Router# show platform Chassis type: ISR4431/K9 Slot Type State Insert time (ago) –––––––––- ––––––––––––––––– –––––––––––––––––––––––– –––––––––––––––––-- ... Slot CPLD Version Firmware Version –––––––––- –––––––––––––––––––––– –––––––––––––––––––––––––––––––––––––-- 0 15010638 15.4(2r)S R0 15010638 15.4(2r)S F0 15010638 15.4(2r)S
ISR Configuration Prerequisites
Information Needed for ISR Configuration
When you configure the ISR's NTP servers and flexible NetFlow, provide the following information:
Table 8 ISR Configuration Settings Setting
Description
loopback interface IPv4 address or router management interface
configure NTP server connectivity. Use a loopback interface if you have one configured, or the router management interface if you do not.
NTP server IPv4 addresses
synchronize time in Learning Network License system
agent eth0 IPv4 address for NetFlow exporter
pass NetFlow packets from the ISR to the agent and traffic between the controller and the agent
ISR License Installation
To run an agent on an ISR 4000 Series, you must activate an IP base (ipbasek9) IOS license, and an App (appxk9) IOS license, on the ISR. See http://www.cisco.com/c/en/us/td/docs/routers/access/sw_activation/SA_on_ISR.html for more information on activating the licenses.
Agent and ISR Interaction
The following diagram illustrates the interaction between an agent and its host ISR.
The diagram shows an agent deployed as a virtual service, named sln, on the host ISR. The virtual service contains two virtual interfaces:
VirtualPortGroup1, used as the virtual service's eth0 interface. This is the Management interface, which handles controller/agent communication, including mitigations and anomalies. This is also the Control interface, which handles agent/router communication, including passing NetFlow packets from the router to the agent, and passing mitigations from the agent to the router.
Configure eth0 on the virtual service with a routable IP address, so the controller can reach the agent. Configure VirtualPortGroup1 using ip unnumbered, and a router interface that the controller can reach.
VirtualPortGroup2, used as the virtual service's eth1 interface. This is the Data Transfer interface, which handles raw packet data passed from the router to the agent. These raw packets are used for packet buffer capture and deep packet inspection.
Traffic over the data connection does not leave the router. Configure the virtual service interface and VirtualPortGroup2 using private IP addresses.
Agent Installation Prerequisites
The agent runs as a virtual service on your ISR. You can deploy the virtual service either to the ISR's bootflash, or to an optional 200 GB NIM-SSD. In general, agents deployed to bootflash offer less storage space for file retention than agents deployed to a NIM-SSD. See the following table for an overview of these differences.
Table 9 Agent Deployment as Virtual Service Comparison Feature
Agent Deployed to bootflash
Agent Deployed to NIM-SSD
Default virtual service settings
Lower hard disk provisioned size setting.
Higher hard disk provisioned size setting.
packet buffer capture (PBC)
Lesser file storage allocation for PBC. PCAP file storage is volatile; if the ISR restarts, PCAPs are lost.
Greater file storage allocation for PBC. PCAP file storage is stable; if the ISR restarts, PCAPs are retained.
log files
Lower file storage allocation for log files. Log file storage is volatile; if the ISR restarts, log files are lost.
Greater file storage allocation for log files. Log file storage is stable; if the ISR restarts, log files are retained.
See ISR 4000 Series Platform Requirements for more information.
Note
You must download the virtual service OVA file. You cannot install the UCS E-Series blade server OVA file as a virtual service.
Agent Configuration Prerequisites
Agent OVA Download
Cisco provides the agent as one of two OVA files: sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova to install on the ISR's NIM-SSD, and sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova to install on the ISR's bootflash. Download the file at http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html.
Note
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.
Agent Virtual Service Settings
Each agent you deploy as a virtual service requires a certain amount of memory, CPUs, and hard disk space. The following table lists the default settings.
Agent Install Script
The controller contains an agent install script you can use to deploy the agents as virtual services. See Install Script Deployment and Agent Properties File Settings for more information.
Downloading the OVA Files from Cisco
Procedure
Note
After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.
Step 1 In your web browser, navigate to http://www.cisco.com/c/en/us/support/security/stealthwatch-learning-network-license/tsd-products-support-series-home.html. Enter your username and password when prompted. Step 2 Download the controller OVA file: sln-sca-k9-<ver>.ova Step 3 Download an agent OVA file:
- sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on an ISR's NIM-SSD
- sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on an ISR's bootflash
Controller Deployment
Cisco provides the controller as a downloadable OVA file. You can deploy this OVA file to a host running an ESXi hypervisor.
Before you start the controller VM, you can update the memory, number of vCPUs, and hard disk space in vSphere vCenter. If you increase the memory, you must start the VM, then run the setup-system script. After you run the script, the VM is updated with proper memory settings.
If your controller is already running, and you want to update the memory settings, run the setup-system script, stop the VM, update the memory settings, and start the VM. On restart, the VM is updated with proper memory settings.
See Controller Installation Prerequisites for more information on recommended controller VM settings, based on deployment size.
Note
For a given version of the Learning Network License system, only the version of Ubuntu Linux shipped with the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agent VMs.
The first time you log into the virtual machine, the system prompts you to change the default administrator password.
Deploying the OVA File
As you map destination networks to interfaces, note that only eth0 is enabled by default. For many deployments, controller management traffic, agent traffic, and controller web UI user traffic are reachable from the same controller network interface. In this case, you can map that destination network to the eth0 interface. You can also leave the eth1 and eth2 interfaces disabled, and mapped to a separate destination network.
However, if these traffic types are reachable via different controller network interfaces, you can enable eth1, eth2, or both eth1 and eth2, then map them to the appropriate destination networks.
Before You BeginProcedure
Download the OVA file.
Download VMware vSphere Client from https://my.vmware.com/web/vmware/downloads and install it.
What to Do Next
Powering On the Virtual Machine
Procedure
Step 1 Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine. Step 2 Select . Step 3 Select the virtual machine from the navigation tree. Step 4 Select . Step 5 Click the Console tab, then click in the console pane to shift your focus to the virtual machine console.
Note To shift your focus from the virtual machine console to your local host, press Ctrl-Alt.
Step 6 Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted, change the default administrator password.
Controller Virtual Hard Disk Storage
By default, the controller OVA ships configured with a 200 GB hard disk. Based on your deployment and the recommended settings, you can configure the deployed controller VM to expand the available hard disk storage space by either:
increasing the existing virtual hard disk storage allocation with an expanded partition or another partition, when the existing VMware storage area has sufficient space, or
adding a new virtual hard disk, when the existing VMware storage area has insufficient space.
Note
Follow the procedures carefully. Failure to follow them can result in corruption or loss of the controller VM filesystem.
Controller Virtual Hard Disk Allocation Expansion
To add space to the controller VM hard disk, configure the VM's settings in VMware vSphere to increase the size of the hard disk. Then, from the VM's command line, run parted to extend an existing virtual hard disk partition. Finally, issue commands to expand the filesystem size for the new hard disk.
Note
You can only extend a hard disk partition to 2 TB. If you need more space, you can use cfdisk to instead add another virtual hard disk partition.
By default, the controller ships with one virtual hard disk, sda and up to partition number 5 (sda5). The first time you add a partition to this virtual hard disk, increment the name by one (sda6). If you want to add another partition, increment the name of the most recent hard disk partition by 1 (sda7, sda8, and so on).
Editing VM Settings to Increase Virtual Hard Disk Size
Procedure
Step 1 Select . Step 2 Right-click the controller VM and select Edit Settings. Step 3 In the Hardware tab, select Hard disk 1. Step 4 Enter a new Provisioned Size to update the virtual hard disk provision. Step 5 Click OK. Step 6 Right-click the controller VM and select . Wait for the VM to power off. Step 7 Right-click the controller VM and select .
Adding a New Virtual Hard Disk Partition Larger than 2 TB
ProcedureUse cfdisk to create a new virtual hard disk partition larger than 2 TB. The controller OVA contains one virtual hard disk by default, sda. This virtual hard disk contains partitions up to number five (sda5). The following task assumes you have not created another virtual hard disk partition, directing you to increment the highest virtual hard disk partition name by one to create the sda6 partition. If you have created other virtual hard disk partitions for the sda virtual hard disk, increment the new partition name based on the existing virtual hard disk partitions (sda7, sda8, etc.).
Command or Action Purpose
Step 1 sudo cfdisk /dev/sda, then enter your password when prompted
Example:user@host:~$ sudo cfdisk /dev/sdaRun the cfdisk partition editor to create the sda6 partition. Step 2 Move your cursor to the last line containing Free space, and verify the size column roughly matches the amount of space you added. Verify that the partition size is correct. If it is not, restart the controller VM and restart this procedure from the beginning. Step 3 n to create a new partition Create a new partition. Step 4 Select Logical and press Enter. Create a logical partition. Step 5 Press Enter to accept the default size. Create the partition with the free space displayed. Step 6 t to change the filesystem type to 8E Change the filesystem type to 8E (Linux LVM). Step 7 W to write the new partition table, then yes to confirm Write the new partition table. Step 8 q to quit cfdisk Quit cfdisk. Updating the Filesystem for the New Virtual Hard Disk Partition
ProcedureThe controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The following procedures uses the LVM2 tools to register the new partition as a physical volume, add the new physical volume to the existing volume group, and extend the logical volume over the new physical volume while simultaneously resizing the Linux filesystem to recognize the additional space.
Command or Action Purpose
Step 1 sudo partprobe -s
Example:user@host:~$ sudo partprobe -s
Update the /dev filesystem to include /dev/sda6 as a new virtual hard disk partition.
Step 2 sudo pvcreate /dev/sda6
Example:user@host:~$ sudo pvcreate /dev/sda6
Create a physical volume for a new partition on the sda virtual hard disk.
Step 3 sudo vgdisplay
Example:user@host:~$ sudo vgdisplay
View the name of the volume group. Step 4 sudo vgextend <volume-group> /dev/sda6
Example:user@host:~$ sudo vgextend vg00 /dev/sda6
Add the new volume to the volume group. Step 5 sudo lvextend -r /dev/<volume-group>/root /dev/sda6
Example:user@host:~$ sudo lvextend -r /dev/vg00/root /dev/sda6
Add the new volume to the root logical volume and resize the root filesystem.
Controller Virtual Hard Disk Addition
To add a virtual hard disk on the controller VM, configure the VM's settings in VMware vSphere to recognize a new hard disk. Then, from the VM's command line, run cfdisk to create the new virtual hard disk, and issue commands to expand the filesystem size for the new hard disk.
By default, the controller ships with one virtual hard disk, sda. The first time you add a virtual hard disk, increment the name by one (sdb). If you want to add another virtual hard disk, increment the name of the most recent hard disk by 1 (sdc, sdd, and so on).
Editing VM Settings for a New Hard Disk
Procedure
Step 1 Select . Step 2 Right-click the controller VM and select Edit Settings. Step 3 In the Hardware tab, click Add. Step 4 Select Hard Disk and click Next. Step 5 Select Create a new virtual disk and click Next. Step 6 Enter a Disk Size and click Next. Step 7 Click Next to skip the Advanced Options screen. Step 8 Click Finish. Step 9 Click OK in the Virtual Machine Properties window. Step 10 Right-click the controller VM and select . Wait for the VM to power off. Step 11 Right-click the controller VM and select .
Adding a New Hard Disk
ProcedureUse cfdisk to create a disk partition on the new virtual hard disk. The controller OVA contains one virtual hard disk by default, sda. The following task assumes you have not created another virtual hard disk, directing you to increment the existing virtual hard disk name by one to create the sdb virtual hard disk. If you have created other virtual hard disks for the controller, increment the new virtual hard disk name based on the existing virtual hard disks (sdc, sdd, etc.).
Command or Action Purpose
Step 1 sudo cfdisk /dev/sdb, then enter your password when prompted
Example:user@host:~$ sudo cfdisk /dev/sdb1Run the cfdisk partition editor to create the sdb1 partition on the sdb virtual hard disk. The table contains one line, with the free space equal to the total disk size. Step 2 n to create a new partition Create a new partition. Step 3 Select Primary and press Enter. Create a virtual hard disk. Step 4 Press Enter to accept the default size. Create the virtual hard disk with the free space displayed. Step 5 t to change the filesystem type to 8E Change the filesystem type to 8E (Linux LVM). Step 6 W to write the new partition table, then yes to confirm Write the new partition table. Step 7 q to quit cfdisk Quit cfdisk. Updating the Filesystem for the New Hard Disk
Procedure
Command or Action Purpose
Step 1 sudo partprobe -s
Example:user@host:~$ sudo partprobe -s
Update the filesystem to include /dev/sdb as a new virtual hard disk.
Step 2 sudo pvcreate /dev/sdb1
Example:user@host:~$ sudo pvcreate /dev/sdb1
Create a physical volume for a new partition on the sdb hard disk.
Step 3 sudo vgdisplay
Example:user@host:~$ sudo vgdisplay
View the name of the volume group. Step 4 sudo vgextend <volume-group> /dev/sdb1
Example:user@host:~$ sudo vgextend vg00 /dev/sdb1
Add the new volume to the volume group. Step 5 sudo reboot
Example:user@host:~$ sudo reboot
Restart the controller VM.
Step 6 Log into the controller VM console. Log into the controller VM console. Step 7 sudo lvextend -r /dev/<volume-group>/root /dev/sdb1
Example:user@host:~$ sudo lvextend -r /dev/vg00/root /dev/sdb1
Add the new volume to the root logical volume and resize the root filesystem.
Step 8 sudo reboot
Example:user@host:~$ sudo reboot
Restart the controller VM.
Custom Controller Web UI Certificates
The controller web server uses Transport Layer Security (TLS) to encrypt connections to the controller web UI. This requires the server to present a certificate to the client browser. Using the self-signed certificate installed by default does not allow the browser to validate the authenticity of the controller web UI, and leads to browser warnings about an untrusted web server. Instead of using a self-signed certificate, you can upload to the controller a custom public key server certificate and private key generated by your organization. This allows clients that connect to the controller web UI to properly validate the web server's authenticity. Note the following:
You must upload both a server certificate and associated private key. Both must be in PEM format.
You can also upload a trust chain of issuing CA certificates for the server certificate, concatenated with the server certificate in a single PEM file.
You can upload an encrypted private key file. You must also create an additional file (sln_ssl.pass) with the cleartext password required to unencrypt the private key file.
After you make these changes, restart the controller web UI processes.
Note
When you run the setup-system script, do not generate a new controller web UI certificate, as this will overwrite your custom certificate and private key. See Configuring the Controller with the Setup Script for more information.
Uploading a Private Key Password
ProcedureIf your private key file is encrypted, you must create an sln_ssl.pass password file containing the cleartext password. After you create the file, you update the sln_ssl_certs.conf configuration file to point to the password file. See Uploading Custom Controller Web UI Certificates for more information.
What to Do Next
Command or Action Purpose
Step 1 cd /etc/ssl/private/
Example:user@host:~$ cd /etc/ssl/private/Change to the /etc/ssl/private/ directory.
Step 2 cat > sln_ssl.pass, then enter your password as cleartext, then press Ctrl + D.
Example:user@host:~/etc/ssl/private$ cat > sln_ssl.pass private-key-password
Create the sln_ssl.pass password file, containing the private key cleartext password.
Step 3 cat sln_ssl.pass to verify the password
Example:user@host:~/etc/ssl/private$ cat sln_ssl.pass
Verify that the sln_ssl.pass password file contains the correct cleartext password.
Continue updating the configuration for your custom certificate and private key, as described in the next section.
Uploading Custom Controller Web UI Certificates
Before You BeginProcedure
Log into the controller VM console.
Upload your custom controller web UI server certificate, and chain of issuing CA certificates if applicable, in PEM format to the controller at etc/ssl/certs.
Upload your custom controller web UI server certificate private key in PEM format to the controller at /etc/ssl/private.
Command or Action Purpose
Step 1 cd /opt/cisco/sln/viz/conf/
Example:user@host:~$ cd /opt/cisco/sln/viz/conf/Change to the /opt/cisco/sln/viz/conf/ directory.
Step 2 sudo vi sln_ssl_certs.conf, then enter your password when prompted
Example:user@host:~/opt/cisco/sln/viz/conf$ sudo vi sln_ssl_certs.confOpen ssln_ssl_certs.conf in the vi text editor as a superuser.
Step 3 Modify the ssl_certificate filepath to point to the custom server certificate PEM file.
Example:ssl_certificate /etc/ssl/certs/server-certificate.pemUpdate sln_ssl_certs.conf to point to your custom server certificate.
Step 4 Modify the ssl_certificate_key filepath to point to the custom server certificat private key PEM file.
Example:ssl_certificate_key /etc/ssl/certs/server-certificate-key.pemUpdate sln_ssl_certs.conf to point to your custom server certificate private key.
Step 5 If you uploaded an sln_ssl.pass password file, add ssl_password_file and a corresponding filepath after the ssl_certificate_key filepath.
Example:ssl_certificate_key /etc/ssl/certs/server-certificate-key.pem ssl_password_file /etc/ssl/private/sln_ssl.pass
Update sln_ssl_certs.conf to point to your private key password file.
Step 6 Press Esc, then enter :wq!.
Example::wq!Save your changes, then exit the vi text editor.
Step 7 sudo service ciscosln-viz restart
Example:user@host:~/opt/cisco/sln/viz/conf$ sudo service ciscosln-viz restartRestart the controller web UI service.
Configuring the Controller with the Setup Script
ProcedureIf you need multiple interfaces on multiple subnets, when configuring networking, you can also configure eth1 and eth2.
Command or Action Purpose
Step 1 cd ~/
Example:user@host:~$ cd ~/Change directories. Step 2 sudo ./setup-system at the command prompt to run the setup script. Enter the administrator password if prompted.
Example:user@host:~$ sudo ./setup-systemRun the setup script. Step 3 y (configure networking)
Configure networking. Step 4 1 (configure eth0) Configure the eth0 interface. Step 5 hostname, then hostname, then y to confirm Configure the controller VM hostname. You must enter a full qualified domain name. Step 6 ipv4, then ipv4-address, then ipv4-netmask, then ipv4-gateway, then y to confirm Configure the interface's IPv4 address, along with a netmask and gateway. Step 7 dns, then dns-servers, then y to confirm Modify the virtual machine's list of DNS servers. Step 8 search, then domain-suffixes, then y to confirm If you want to configure the domain suffix search list, run the search command. Step 9 view
View the interface's network settings, hostname, and DNS settings. If any of these are missing or incorrect, repeat that configuration. Step 10 exit
Save your changes and continue with interface configuration. Step 11 4 (exit interface configuration) Exit interface configuration and continue. Step 12 y (enable SSH login) Enable SSH login. Step 13 y, then ntp-servers, then y to confirm
Configure NTP servers used to synchronize time between the controller and agent. Enter a space-delimited list of NTP server fully-qualified domain names (FQDNs) or IPv4 addresses. Step 14 y (generate a controller certificate) Generate a controller self-signed certificate, used for encrypting controller/agent communication. Step 15 y (generate a controller web UI certificate), or n if you uploaded a custom certificate Generate a controller web UI self-signed certificate, used for encrypting user connections to the controller web user interface. Step 16 y (specify the distinguished name if you generated a new certificate) Optionally, specify the certificate subject distinguished name (DN). Step 17 country-code, then state, then locality, then organization, then organizational-unit, then common-name, then email if you generated a new certificate
Optionally, provide the DN information. Resetting the Administrator Password
ProcedureAfter you run the setup-system script, reset the controller web UI administrator user account (admin) password. When you reset the password, the system prints a temporary password to the console, valid for 72 hours. You must log into the controller web UI as the admin user account, then update your password.
Command or Action Purpose
Step 1 cd ~/SCA
Example:user@host:~$ cd ~/SCAChange directories to ~/SCA.
Step 2 sudo service ciscosln-sca stop, then enter your password when prompted
Example:user@host:~/SCA$ sudo service ciscosln-sca stopStop the controller processes.
Step 3 ./sca.sh reset-admin-password
Example:user@host:~/SCA$ ./sca.sh reset-admin-password user@host:~/SCA$ Resetting the admin password in sln user@host:~/SCA$ New password is 'AbCd1234' user@host:~/SCA$ Admin password reset done.
Reset the admin user account's password.
Step 4 sudo service ciscosln-sca start
Example:user@host:~/SCA$ sudo service ciscosln-sca startStart the controller processes.
Disabling Host Time Synchronization
After you reset the administrator password, configure the VM to disable host time synchronization. This ensures the VM synchronizes time with the configured NTP servers, instead of the ESXi host.
Before You BeginProcedure
Log into the controller VM console.
Command or Action Purpose Logging into the Controller Web UI
ProcedureWhen you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account (admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must change the password and confirm the new password.
In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and password when prompted.Verifying NTP Configuration on the Controller
Before You BeginProcedure
Log into the controller VM console.
What to Do Next
Command or Action Purpose
Step 1 ntpq –n –p
Example:user@host:~$ ntpq –n –pDisplay configured NTP servers. If the system does not display configured NTP servers, repeat NTP configuration in Configuring the Controller with the Setup Script.
Update the controller certificate configuration settings, as described in the next section.
Controller Certificate Management
Modify the controller configuration file to update certificate management settings. You can enable the controller to use self-signed agent certificates, and enable TOFU. After this, restart the controller processes.
Updating the Controller Configuration
The sca.conf configuration file contains several layers of nested brackets. When you update the file to add or update the dla node, make sure that you nest it within the sln bracket. See the following for an example.
sln { dla { security { allowSelfSignedCert = true trustCertOnFirstUse = true certRollover = true } } }
You can also reference ~/SCA/sample_sca.conf for an example of syntax.
Before You BeginProcedure
Log into the controller VM console.
What to Do Next
Command or Action Purpose
Step 1 cd ~/SCA
Example:user@host:~$ cd ~/SCAChange to the /SCA directory. Step 2 sudo vi sca.conf, then input your password when prompted
Example:user@host:~/SCA$ sudo vi sca.confEdit the sca.conf configuration file. Step 3 Update the configuration file to include or modify the configuration. Update the configuration file to include allowSelfSignedCert = true, trustCertOnFirstUse = true, and certRollover = true. Step 4 Press Esc, then enter :wq! and press Enter. Save your changes and exit the editor.
Restart the controller's processes, as described in the next section.
Updating Administrator Credentials
ProcedureUpdate your administrator credentials to log into the controller web UI. In a later step, the install script, located on the controller, adds deployed agents to the controller using these updated administrator credentials.
When you installed the controller, you defined an IP address for the controller web UI. Use the default login password (cisco) for the administrator user account (admin). After you log in once, you must change the password and confirm the new password.
What to Do Next
In your web browser, navigate to https://sca-ip-address, then enter your controller web username and password when prompted.
Configure your ISR's NTP settings, as described in the next section.
NTP Configuration
To configure NTP server addresses on the ISR, associate the router management interface with the NTP servers. Alternatively, if you have a loopback interface already configured, you can use that instead to reference NTP servers.
Configuring NTP on the ISR
ProcedureThe agents deployed as a virtual service receive time from the host router. You must configure NTP servers on the ISR to ensure Learning Network License timestamps match, and to ensure that the system properly displays anomalies.
Note
NTP configuration is not required for deploying a virtual service. However, if you incorrectly configure NTP server domain names or IP addresses on the ISR, you cannot deploy virtual services to it. Correctly enter the NTP server domain names or IP addresses.
You can enter each command individually. You can also paste the commands from the example below into a text editor, update the variable, then paste all the updated commands into the command line.
enable ntp source GigabitEthernet0/0/0 ntp server <ipv4-addresses> exitIf you have an existing loopback interface, use that as the NTP source interface. Otherwise, use the router management interface.
Command or Action Purpose
Step 1 enable
Example:Router> enableEnable privileged EXEC mode. Enter your password if prompted.
Step 2 ntp source GigabitEthernet0/0/0
Example:Router# ntp source GigabitEthernet0/0/0Use the GigabitEthernet0/0/0 interface to connect to an NTP server.
Step 3 ntp server ipv4-addresses
Example:Router# ntp server 209.165.202.129 209.165.202.130Use the GigabitEthernet0/0/0 interface to connect to an NTP server. Define multiple addresses to specify backup NTP servers.
Step 4 show ntp association
Example:Router# show ntp associationDisplay configured NTP servers. If the system does not display correctly configured NTP servers, repeat the configuration process. Step 5 exit
Example:Router# exitExit privileged EXEC mode.
Install Script Overview
The controller includes an agent install and upgrade properties file (install.yaml), and an agent install script (installation_auto.py) . Running the agent install script requires configuring the agent install and upgrade properties file with agent, ISR, and network settings. You can configure the file to deploy multiple agents at one time. This file contains global settings, which apply to all deployed agents, and branch-specific settings, which apply only to one ISR and agent.
Note
For a given version of the Learning Network License system, only the version of Ubuntu Linux shipped with the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agent VMs.
When you run the install script, it reads the properties file, and does the following for each agent:
uploads the OVA file to the ISR
configures flexible NetFlow for Learning Network License
configures a virtual service named sln and deploys the agent
configures ISR and agent network settings
adds the new agent to the controller
ISR Hardware Configuration
Before you deploy your agents as virtual services, ensure that your ISRs have enough RAM and the proper hardware installed, as described in ISR 4000 Series Platform Requirements.
For more information on hardware installation, see the Hardware Installation Guide for the Cisco 4000 Series Integrated Services Router, at http://www.cisco.com/c/en/us/td/docs/routers/access/4400/hardware/installation/guide4400-4300/C4400_isr.html.
Install Script Deployment
Install Script Diagram
An agent may be installed as a virtual-service (container) in an ISR 4331, 4351, 4431, or 4451 router by running the installation_auto.py install and upgrade script. The controller contains the script, which you run from the controller command line. The script issues configuration commands on the router and the newly-created agent. It also adds the agent to the controller, so the user can issue further configuration changes from the controller web UI.
The script references the install.yaml properties file, also located on the controller. The following diagram tracks the various properties in the deployment process.
Agent Copy
The arrow labeled copy (scp) demonstrates the install script copying the agent .ova file from a network location of your choice to the Network Element (4331, 4351, 4431, or 4451 router). In this example, the script copies the file from the deployed controller using the SCP protocol to the ISR.
For all commands issued to the ISR, the script uses the configured credentials (ne_username, ne_password) to connect to the network element (ne_ctl_ip).
The following properties control how the script copies the file:
src_host - the network location where the agent .ova file is copied from
src_username - username used by the script to log into this network location
src_password - password used by src_username
src_ova_path - filepath and filename on the host where the agent .ova file is located
dst_store - whether the script copies the .ova file to the branch router harddisk or bootflash
Cisco recommends you define the controller as the source host, upload the .ova to the controller, and copy the file to all branch routers.
Agent Virtual Service Creation
The center of the diagram shows the commands the script uses to create, install, and activate the agent as a virtual-service (container), and references the properties file to apply values to the variables.
The script creates the virtual-service with two virtual interfaces, using the interface VirtualPortGroup commands:
ctl/mgmt - The control and management interface, used for agent/controller communication, to install mitigation policies on the router, and to receive NetFlow records from the router. This is VirtualPortGroup 1 on the router, and eth0 on the agent.
The script configures the ctl/mgmt interface without an IP address, (using ip unnumbered), referencing the name of a router interface (parent-if-name) whose IP address is reachable by the controller.
The script also configures an ip route on the agent with a routable IP address (dla_ctl_ip) so the router forwards packets from the controller to the agent over the ctl/mgmt interface.
Note that you configure credentials for the agent to log into the router (dla_ne_login: username, dla_ne_login, password), to install mitigation policies, and collect information from the router.
data xfer - The data transfer interface, used to send raw packet data from the router to the agent, when packet buffer capture (PBC) or DNS deep packet inspection (DNS/DPI) are enabled. This is VirtualPortGroup 2 on the router, and eth1 on the agent.
The script configures the data xfer interface with a private IP address (ne_ip) and netmask (ne_mask), since traffic across this interface never leaves the router.
After configuring the virtual interfaces, the script issues commands (virtual-service, vnic) to create the virtual-service named sln with two virtual interfaces reachable by the VirtualPortGroup 1 and VirtualPortGroup 2 interfaces on the router.
The script then issues an install command to install the agent .ova into the virtual service, then an activate command to activate the virtual service.
Finally, the script issues the connect command to log into the virtual service console to configure the following:
the agent hostname (dla_hostname) and default gateway (dla_ctl_gw)
the eth0 interface with a routable IP address (dla_ctl_ip) and netmask (dla_ctl_mask). The controller must be able to reach this address.
the eth1 interface with a private IP address (dla_dat_ip) and netmask (dla_dat_mask
Learning Network License NetFlow Configuration
The install script also issues commands to configure Flexible NetFlow (Version 9), as required for Learning Network License. The following diagram illustrates this configuration.
The script creates the following:
SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fields to collect
SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent dla_ctl_ip IP address to send NetFlow data to the agent
SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and output traffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER
The script also issues an interface command for each branch interface (branch-if1-names...) that you configure in the properties file. These branch interfaces are the router interfaces used to reach branch hosts.
Agent Addition to the Controller
The script adds each agent to the controller, if not already added, using the RESTful API. The script logs into the controller using the configured credentials (sca_webui_login: username, sca_webui_login: password). The script uses the agent hostname (dla_hostname) or the IP address (dla_ctl_host_sca) if the agent hostname is not resolvable in DNS.
Each agent is added to the controller as Disabled. You must log into the controller web UI to enable the agent. If you register your deployment with Smart Licensing, enabling the agent also consumes a license entitlement.
Agent Properties File Overview
The agent install and upgrade properties file (install.yaml), located on the controller, is in YAML format, and stores settings as key-value pairs. The install script uses these settings to deploy 1 or more agents. The controller contains an install.yaml.example file, which contains the basic YAML format and sample settings. You can rename this file to install.yaml and update the settings for your deployment.
The file stores global settings, which apply to all agent deployments. The file also stores per-branch settings, each set of which are applied to a specific ISR and agent. Per-branch settings override global settings. If you define a setting both as global and as per-branch for certain branches, the install script selects the per-branch setting when defined, and the global setting when the per-branch setting is not defined.
You define usernames and passwords in the properties file, which the install script uses to access ISRs, the controller, and agents. If you comment out a password property by placing a pound sign (#) at the beginning of that line, the script prompts you for that password while running. However, if you comment out the dla_password or ne_password property as a global setting, the script prompts you for the first agent where the property is not defined. It then uses the password you enter for every agent which does not have the property defined.
Note
Usernames and passwords added to the properties file remain in the file after you finish deploying the agents. If this is a security concern, remove them after the deployment completes.
Agent Properties File Settings
Global Property Settings
The following are the global property settings. You can define any of these per-branch, except for the sca_webui_login settings. If you define dla_ova_copy: src_host, dla_ova_copy: src_username, or dla_ova_copy: src_password per-branch, you must also define each setting globally. Note that the per-branch setting overrides the global setting.
When you run the script, it prompts you for any password you do not define.
Note
The syntax below is presented as an example. Do not copy and paste this into the property file. Improper formatting and spacing in the property file will cause the script to fail.
dla_ova_copy: src_host: <source-host-ip> src_username: <source-host-user> src_password: <source-host-password> src_ova_path: <source-host-ova-filepath> dst_store: <dest-store-location> vir_portgroup_1: ip_unnum: <parent-interface> vrf_forwarding: <parent-interface-vrf> vir_portgroup_2: ne_ip: <private-ip-1> ne_mask: <private-ip-1-mask> dla_dat_ip: <private-ip-2> dla_dat_mask: <private-ip-2-mask> ne_username: <ne-user> ne_password: <ne-password> ne_port: <tcp-port> dla_password: <dla-password> dla_ne_login: username: <dla-ne-user> password: <dla-ne-password> sca_webui_login: username: <sca-user> password: <sca-password>
Table 11 dla_ova_copy Properties Property
Description
Validation
Required?
dla_ova_copy
group of properties used to copy the agent OVA from a source host that is capable of SCP file copying, such as the controller, to the ISR
n/a
n/a
src_host
IP address of the host containing the agent OVA, from which the script will copy the file
IPv4 address or DNS name
yes
src_username
username the script uses to log into the Linux console of the host containing the agent OVA
string
yes
src_password
password for src_username
string, cannot be NULL
yes
src_ova_path
filepath on the source host where the agent OVA is located, such as /home/sln/agent.ova, in quotation marks
string, must contain filepath and filename
yes
dst_store
bootflash to upload the agent OVA to the ISR's flash memory, or harddisk to upload the agent OVA to the ISR's hard drive
bootflash or harddisk
Specify bootflash only if your ISR does not have a hard drive installed. If your ISR has a hard drive, and you specify bootflash, the script ignores the setting and uploads to the hard drive.
yes
Table 12 vir_portgroup_1 Properties Property
Description
Validation
Required?
vir_portgroup_1
group of properties used to create the VirtualPortGroup 1 virtual interface
n/a
n/a
ip_unnum
name of an interface on your ISR through which the controller can reach the agent. The script uses this to configure the Network Element side of the ctl/mgmt interface.
string
yes
vrf_forwarding
name of the non-default VRF instance on your ISR that the ip_unnum interface belongs to. If you added the interface to a non-default VRF instance, you must configure this so the script can properly copy the OVA file to the router.
string
no, see Configuring VRF Forwarding on the ISR for more information
Table 13 vir_portgroup_2 Properties Property
Description
Validation
Required?
vir_portgroup_2
group of properties used to create the VirtualPortGroup 2 virtual interface
n/a
n/a
ne_ip
Network Element IP address on the virtual-service Data Transfer interface. The script uses this to configure the Network Element side of the Data Transfer interface.
Because traffic over this interface does not leave the router, specify a private IP address.
IPv4 address
yes
ne_mask
The netmask for ne_ip
subnet mask
no
dla_dat_ip
Agent IP address on the virtual-service Data Transfer interface. The script uses this to configure the agent side of the Data Transfer interface.
Because traffic over this interface does not leave the router, specify a private IP address.
IPv4 address
yes
dla_dat_mask
the netmask for dla_dat_ip
subnet mask
no
Table 14 ne_username Property Property
Description
Validation
Required?
ne_username
a username with a privilege level of 15 that the install script uses to log into the ISR, to execute CLI commands
string
yes
Table 15 ne_password Property Property
Description
Validation
Required?
ne_password
the password for ne_username
string, cannot be NULL
no, the script prompts you if not defined
If you do not define the ne_password property as a global property, the script prompts you the first time it attempts to deploy an agent where the configured branch properties also do not contain ne_password. However, the script reuses that password for every remaining agent deployment for which ne_password is not defined.
Table 16 ne_port Property Property
Description
Validation
Required?
ne_port
the TCP port the upgrade script uses when connecting via SSH to the ISR. If undefined, this defaults to 22.
integer
no
Table 17 dla_password Property Property
Description
Validation
Required?
dla_password
password configured for the agent admin account when the script deploys the agent, to replace the default admin password
string, cannot be NULL, must be a minimum of 6 characters
no, the script prompts you if commented out
If you do not define the dla_password property as a global property, the script prompts you the first time it attempts to deploy an agent where the configured branch properties also do not contain dla_password. However, the script reuses that password for every remaining agent deployment for which dla_password is not defined.
Table 18 dla_ne_login Properties Property
Description
Validation
Required?
dla_ne_login
group of properties used to define agent credentials to log into the Network Element
n/a
n/a
username
username the agent uses to log into the ISR to learn about interfaces and install mitigations.
string
yes
password
password for the agent username
string, cannot be NULL
no, the script prompts you if commented out
Table 19 sca_webui_login Properties Property
Description
Validation
Required?
sca_webui_login
group of properties used to define install script credentials to log into the controller web UI
n/a
n/a
username
username the script uses to log into the controller web UI to add agents to the controller, and configure agent attributes.
string
yes
password
password to log into the controller.
string, cannot be NULL
no, the script prompts you if commented out
Branch-Specific Property Settings
The following are the branch-specific property settings. For each new set of branch settings, you must preface them with a dash (-).
Note
The syntax below is presented as an example. Do not copy and paste this into the property file. Improper formatting and spacing in the property file will cause the script to fail.
branches: - ne_ctl_ip: <parent-interface-ip> dla_ctl_ip: <control-ip> dla_ctl_mask: <control-ip-mask> dla_ctl_gw: <control-ip-gateway> dla_hostname: <dla-hostname> dla_description: <dla-description> ne_netflow_interfaces: ifnames: ['<branch-interface-1>','<branch-interface-2>','branch-interface-N>'......] dla_ctl_host_sca: <dla-ip-for-sca>The dla_description and ne_ctl_ip properties can only be updated through the install script on initial agent installation. If you want to update the agent description after installation, modify it in the controller web UI. See the Cisco Stealthwatch Learning Network License Configuration Guide for more information.
Table 20 branches Properties Property
Description
Validation
Required?
branches
group of settings used to configure a specific agent on a branch Network Element
n/a
n/a
ne_ctl_ip
IP address for the physical interface defined for vir_portgroup_1: ip_unnum that the script uses to connect to the network element, and to add an agent to the controller
IPv4 address
yes
You can only modify this on initial agent installation.
dla_ctl_ip
a routable IP address for the agent on the control interface that the ne_ctl_ip can reach, so the controller can reach the agent
IPv4 address
yes
dla_ctl_mask
mask for dla_ctl_ip
subnet mask
yes
dla_ctl_gw
default gateway the agent uses for non-local destinations, generally the same IP address as ne_ctl_ip
IPv4 address
yes
dla_hostname
agent hostname, used by the script to generate unique names for per-branch log files, used by the controller to connect to the dla_ctl_ip, and used by the controller web UI as the agent's unique name
string
yes
dla_description
agent description
string, up to 256 characters, surrounded by double quotation marks (")
no
if undefined, the script populates the description with the dla_hostname value, or the dla_ctl_host_sca IP address if you defined it
You can only modify this on initial agent installation.
ne_netflow_interfaces: ifnames
a list of ISR branch-facing interfaces on which the script configures Flexible NetFlow for Learning Network License
a comma-delimited array, surrounded by brackets ([]), with each interface name surrounded by single quotes (')
yes
dla_ctl_host_sca
agent IP address used by the controller to reach the agent if the agent hostname is not resolvable in DNS, or if the agent control IP address is behind a NAT or PAT. If you do not define this, the script adds the agent to the controller using the dla_hostname value.
IPv4 address
no
Configuring VRF Forwarding on the ISR
In the install.yaml properties file, if you added the vir_portgroup_1: ip_unnum interface to a non-default VPN routing and forwarding (VRF) instance on your ISR, you must define the vir_portgroup_1: vrf_forwarding property in the file. This allows the script to properly copy the .ova file to the router using SCP.
On the ISR, you must also configure the vir_portgroup_1: ip_unnum interface as the source address for an SSH client device, so the script can properly copy the .ova file.
Before You BeginProcedure
Define vrf_forwarding in the install.yaml properties file. See Agent Properties File Settings for more information.
Log into the ISR console.
Command or Action Purpose
Step 1 enable
Example:Router> enable
Enable privileged EXEC mode.
Step 2 config t
Example:Router# config t
Enter global configuration mode.
Step 3 ip ssh source-interface <ip_unnum>
Example:Router(config)# ip ssh source-interface GigabitEthernet0/0/0
Specify the ip_unnum interface as the source for an SSH client device.
Step 4 exit
Example:Router(config)# exit
Exit global configuration mode and return to privileged EXEC mode.
Updating the Agent Properties File
ProcedureWhat to Do Next
Command or Action Purpose
Step 1 cd /opt/cisco/sln/install_upgrade/container
Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container
Navigate to the /container directory.
Step 2 cp install.yaml.example install.yaml
Example:user@host:/opt/cisco/sln/install_upgrade/container$ cp install.yaml.example install.yaml
Copy the install.yaml.example file to install.yaml. Step 3 vi install.yaml, then enter your password when prompted.
Example:user@host:/opt/cisco/sln/install_upgrade/container$ vi install.yaml
Open the install.yaml install and upgrade properties file in the vi text editor.
Step 4 Using Agent Properties File Settings as a guide, update the properties file with the necessary settings. Update the properties file with the necessary settings. Step 5 Press Esc, then enter :wq! and press Enter. Save your changes and close the file.
Run the install script, as described in Install Script Operation.
Install Script Operation
The install script (installation_auto.py) deploys agents as virtual services based on settings in the agent install and upgrade properties file (install.yaml). You configure the properties file and run the install script from the controller, which contains both by default.
Based on the properties file settings and the script options you select, the script attempts to deploy agents in batches, copying the .ova file to the ISR, then deploying it.
Note
The script copies the .ova file to the ISR based on the properties file settings. However, if you copy the .ova file to the ISR, and configure the properties file setting to upload the .ova to the same filepath, the script deploys the agent using the .ova file already on the ISR.
As the script runs, it displays progress updates on the console every 10 seconds. These updates display the total number of agents to deploy, the number in progress, and the number that succeeded and failed.
If you commented out password properties in the install.yaml properties file, the script prompts you during the progress updates. For agent passwords, if you did not define a global password, the first time the script deploys an agent without a password defined, it prompts you for the password, then uses this password for all remaining agents without a password defined. The script also logs its progress to several log files.
You can exit the script at any time by pressing Ctrl-C.
Install Script Options
Append the following options to the command line when running the script for the following functionality:
Table 21 Install Script Options Option
Description
-b <integer>
Configure the script to deploy this number of agents in a batch at one time.
The script defaults to deploying 50 agents in a batch. If you notice failed deployments when running the script, try lowering the batch size.
-c install.yaml
Reference the install.yaml properties file.
--clean_only
Removes all Learning Network License configuration and the virtual service from the ISR. If you want to upgrade your agents to the same version, run the script using --clean_only first, then run the script without --clean_only.
-f
Copies the .ova file specified in the properties file to the destination filepath on the ISR, even if an .ova file with the same name is present at that destination filepath.
-i
Deploy all agents configured in the properties file, even if they have been previously installed successfully.
If you do not define this option, the script only deploys agents that previously failed to deploy properly.
-h
Show help for options.
-v
Perform local validation of the referenced properties file.
-V
Perform validation of the referenced properties file, including connecting to the network element and validating interface names.
Run a basic installation from the controller command line with the following command:
installation_auto.py -c install.yamlRunning the Install Script
Before You BeginProcedure
Log into the controller VM console.
Command or Action Purpose
Step 1 cd /opt/cisco/sln/install_upgrade/container
Example:user@host:~$ cd /opt/cisco/sln/install_upgrade/container
Navigate to the /container directory.
Step 2 installation_auto.py -c install.yaml, then enter your password when prompted
Example:user@host:/opt/cisco/sln/install_upgrade/container$ installation_auto.py -c install.yaml
Run the installation_auto.py install script.
Step 3 If you did not update install.yaml with passwords, enter those when prompted. Provide passwords when prompted. Verifying NTP Configuration on the Agent
Procedure
Command or Action Purpose
Step 1 ntpq –n –p
Example:user@host:~$ ntpq –n –pDisplay configured NTP servers. If the system does not display configured NTP servers, repeat NTP configuration in Configuring NTP on the ISR. Smart Licensing Overview
To deploy the Learning Network License, you must register your controller with Cisco Smart Licensing. If you do not, your deployment enters Evaluation Mode, a 90-day trial which limits you to a maximum of 10 managed agents, and disables new functionality when the 90 days expire.
Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.
In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent and purchase the license later. This allows you to deploy and use an agent, and avoid delays due to purchase order approval.
Logging into the Controller Web UI
ProcedureWhen you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account (admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must change the password and confirm the new password.
In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and password when prompted.Registering the Controller Instance
Before You BeginProcedure
Obtain a registration token from the Smart Software Manager (http://www.cisco.com/web/ordering/smart-software-manager/index.html).
Log into the controller web UI.
Step 1 Select Dashboard. Step 2 Click Smart Licensing. Step 3 Click Register. Step 4 Paste your registration token into the Smart Software Licensing Product Registration field. Step 5 If you want to use a registration token and the current token is still valid, check Reregister this product instance if it is already registered. Step 6 Click Register.
Enabling Agents on the Controller
If you do not register your controller with Smart Licensing before you enable agents, your deployment is in Evaluation Mode, and you are limited to managing 10 agents with your controller for 90 days.
When you register your controller with Smart Licensing and enable the agents, ensure you have enough license entitlements.
Before You BeginProcedure
Log into the controller web UI.
Step 1 Select AGENTS. Step 2 For each managed agent, click Enable, then click Continue to enable the agent.
Interface Configuration
When you configure a Network Element's interface, select a traffic direction, whether you want to enable mitigations on the interface, and whether you want to enable packet buffer capture (PBC) or deep packet inspection (DPI).
Note
Subinterface configuration of PBC/DPI is not supported on 4000 Series ISRs.
The Direction you select for an interface determines how the agent tracks traffic origin from within or outside the branch, populates clusters, and models traffic to identify anomalies. Label each interface based on the following guidelines:
An Internal interface faces the branch and branch hosts. The system applies Learning Network License-related NetFlow on this interface.
An External interface faces the core. This interface passes traffic outside the branch, including other branches, headquarters, or the Internet.
An Unconfigured interface does not qualify as either Internal or External. It is unused, or there is a reason you do not want to monitor the traffic over this interface.
An agent monitors traffic, and creates clusters of hosts with similar characteristics. The agent clusters external hosts, those residing on External interfaces, separately from internal hosts, those residing on Internal interfaces. Traffic between clusters is monitored for anomaly detection.
The agent monitors traffic to or from branch hosts. All traffic to or from an Internal interface, which represents the branch host traffic, is modeled for anomaly detection purposes. Traffic that does not involve an Internal interface is not modeled. See the following table for more information.
Table 22 Interface Direction and Modeled Traffic ...to an Internal interface...
...to an External interface...
...to an Unconfigured interface...
Traffic from an Internal interface...
...is modeled and inspected for anomalous traffic.
...is modeled and inspected for anomalous traffic.
...is modeled and inspected for anomalous traffic.
Traffic from an External interface...
...is modeled and inspected for anomalous traffic.
...is not modeled and inspected for anomalous traffic.
...is not modeled and inspected for anomalous traffic.
Traffic from an Unconfigured interface...
...is modeled and inspected for anomalous traffic.
...is not modeled and inspected for anomalous traffic.
...is not modeled and inspected for anomalous traffic.
You can enable mitigation on Ethernet interfaces and most tunnel interfaces. The system does not support enabling mitigation on tunnel interfaces with multipoint GRE (mGRE) enabled.
Cisco recommends you enable mitigation on all enabled and supported interfaces, regardless of traffic direction. This provides maximum protection if the agent detects an anomaly, and you want to install a QoS policy on the Network Element to prevent the anomaly from being forwarded. If you configure a mitigation tailored to this anomalous traffic, the system installs the corresponding QoS policy on all Network Element interfaces on which you enabled mitigation.
Note
By default, the system checks the Enable Mitigation checkbox for all Ethernet and non-mGRE tunnel interfaces.
If your router interface has subinterfaces, and already has a quality of service (QoS) policy installed at the parent interface level, you can only enable mitigation policies at the parent level for that interface family. Similarly, if the subinterfaces have a QoS policy installed, you can only enable mitigation policies at the subinterface level for that interface family. If you enable a mitigation on a subinterface, the system automatically enables the mitigation on all sibling subinterfaces.
If the interface family does not have a QoS policy installed, you can install a mitigation at the parent interface or subinterface level. Once you configure a mitigation for a parent interface or a subinterface, however, you can only subsequently create mitigations at that level for the interface family.
You can enable PBC or DPI on any interface with the word Ethernet in its name, with the following exceptions:
You can only enable PBC or DPI on a G2 ISR interface if you did not configure it to export IP traffic (ip traffic-export). If you configured IP traffic export on the interface, remove the configuration from the interface before enabling PBC and DPI.
You can only enable PBC or DPI on a 4000 Series ISR parent interface.
This allows you to capture and download PCAP files, or capture DNS query information from traffic.
Note
On a G2 ISR, if you enable PBC or DPI on a parent interface, the system also enables it for all sub-interfaces. Similarly, if you enable PBC or DPI on a G2 ISR sub-interface, the system also enables it for the parent interface and all sibling subinterfaces.
Configuring Agent Network Settings
ProcedureYou can update an agent's network settings, including the host router's IP address and directionality of the router's interfaces.
Step 1 Select AGENTS. Step 2 Click Configure next to an agent. Step 3 Enter the VirtualPortGroup1 virtual service eth0 IPv4 address in the Network Element IP field. Step 4 Click the expand icon ( ) next to an interface to view the router interface configuration.
Step 5 For an interface, choose from the drop-down:
- Internal if the interface faces the branch (generally, if NetFlow is configured on the interface)
- External if the interface faces the core (generally, if the interface is passing traffic)
- Unconfigured if you interface is unused, or the interface faces neither the branch nor the core
Step 6 Check Enable mitigation to apply mitigation actions to this interface. Step 7 If you want to capture raw packet data and send it from the network element to the agent, take the following steps:
- Check Enable PBC/DPI on one or more interfaces to enable raw packet capture.
- Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the network element passes raw packets to the agent
- Select a agent interface from the Raw Packet Rx Interface (on Agent) drop-down on which the agent receives raw packets from the network element.
Step 8 If you want to enable the packet buffer capture (PBC) feature, check Enable PBC. You must enable capturing raw packet data. Step 9 If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data. Step 10 Click Submit. Step 11 Click Submit. Step 12 If you want to create a template to apply this configuration to other agents, click Create template.
What to Do Next
Allow the system time to perform the initial learning phase, as described in Initial Learning Phase Overview.
Initial Learning Phase Overview
After you manage your agents with the controller, allow the system to run for seven days, inspect your network traffic, and build a baseline traffic model.
The Learning Network License system identifies anomalies by comparing detected traffic to the baseline model, and noting deviations. After system deployment, each agent inspects traffic traversing the router. During this initial learning phase, the agent builds a baseline traffic model. The model includes dynamically-generated clusters of hosts, and what types of application traffic are transmitted between clusters at what times of day.
If you log into the controller web UI while the system is learning about your network, you may see very few or no reported anomalies, as the system cannot compare against a baseline yet. Towards the end of the initial learning phase, the system may start reporting anomalies, but without a complete baseline, these anomalies may not be relevant. After the initial learning phase, when each agent completes its baseline model, the system can properly identify anomalous traffic that deviates from the baseline.
For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.
Next Steps
After you deploy the Learning Network License system, you can perform the following:
Configure audit and event logging. See the Cisco Stealthwatch Learning Network License Virtual Service Installation Guide for more information.
Integrate with an Identity Services Engine (ISE) server by configuring pxGrid integration. See the Cisco Stealthwatch Learning Network License Virtual Service Installation Guide for more information.
Log into the controller web UI to configure user display settings, view anomalies and assign relevance feedback, configure mitigations for an anomaly, and configure external system integration. See the Cisco Stealthwatch Learning Network License Configuration Guide for more information.
For Assistance
Thank you for using Cisco products.
For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about the Firepower System, see What’s New in Cisco Product Documentation at http://www.cisco.com/c/en/us/td/docs/general/whatsnew/whatsnew.html.
Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.
If you have any questions or require assistance with the Cisco Stealthwatch Learning Network License system, please contact Cisco Support:
Visit the Cisco Support site at http://support.cisco.com.
Email Cisco Support at tac@cisco.com.
Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.
Copyright © 2016, Cisco Systems, Inc. All rights reserved.