Contents

• Cisco Stealthwatch Learning Network License Quick Start Guide
• Learning Network License Introduction
• Installing the Learning Network License System
• Installation Prerequisites
• Communication Ports
• Learning Network License and Licensing
• Controller Host Requirements
• Controller Installation Prerequisites
• ISR Platform Requirements
• ISR 4000 Series Platform Requirements
• Verifying ISR Platform Requirements
• Example ISR Platform Requirements
• ISR Configuration Prerequisites
• ISR License Installation
• Agent and ISR Interaction
• Agent Installation Prerequisites
• Agent Configuration Prerequisites
• Downloading the OVA Files from Cisco
• Obtaining a File's Checksum from cisco.com
• Controller Deployment
• Deploying the OVA File
• Powering On the Virtual Machine
• Controller Virtual Hard Disk Storage
• Controller Virtual Hard Disk Allocation Expansion
• Editing VM Settings to Increase Virtual Hard Disk Size
• Adding a New Virtual Hard Disk Partition Larger than 2 TB
• Updating the Filesystem for the New Virtual Hard Disk Partition
• Controller Virtual Hard Disk Addition
• Editing VM Settings for a New Hard Disk
• Adding a New Hard Disk
• Updating the Filesystem for the New Hard Disk
• Custom Controller Web UI Certificates
• Uploading a Private Key Password
• Uploading Custom Controller Web UI Certificates
• Configuring the Controller with the Setup Script
• Resetting the Administrator Password
• Disabling Host Time Synchronization
• Logging into the Controller Web UI
• Verifying NTP Configuration on the Controller
• Controller Certificate Management
• Updating the Controller Configuration
• Restarting Controller Processes
• Updating Administrator Credentials
• NTP Configuration
• Configuring NTP on the ISR
• Install Script Overview
• ISR Hardware Configuration
• Install Script Deployment
• Agent Properties File Overview
• Agent Properties File Settings
• Configuring VRF Forwarding on the ISR
• Updating the Agent Properties File
• Install Script Operation
• Install Script Options
• Running the Install Script
• Verifying NTP Configuration on the Agent
• Smart Licensing Overview
• Logging into the Controller Web UI
• Registering the Controller Instance
• Restarting the Controller Processes
• Enabling Agents on the Controller
• Interface Configuration
• Configuring Agent Network Settings
• Initial Learning Phase Overview
• Next Steps
• For Assistance

Cisco Stealthwatch Learning Network License Quick Start Guide

---

The following details essential information on deploying and configuring your Cisco Stealthwatch Learning Network License system.

Learning Network License Introduction

The Learning Network License system is a hyper-distributed analytics architecture that inspects your network traffic and applies machine learning algorithms to perform a behavioral analysis. As a result, the system can identify anomalous behavior, such as malware, distributed botnets, data exfiltration, and more.

You deploy multiple agents to your network edge to inspect traffic. These agents report the anomalies in real-time to the controller for additional system and user analysis. Based on the anomalies, you can provide relevance feedback, which the system incorporates into internal traffic models. This allows the system to better identify and report anomalies of interest.

You can also configure mitigations based on anomaly properties, such as hosts involved and application traffic transferred. These mitigations reduce or eliminate the impact of detected anomalies now and in the future. The combination of behavioral analysis, user feedback, and traffic mitigation customizes the system to address the threats specific to your network and better protect your users.

Installing the Learning Network License System

The following provides a high-level overview to installing the Learning Network License system.

Procedure

---

Step 1	Ensure your ISRs support installing the Learning Network License system, and have the proper licenses and hardware. See Installation Prerequisites for more information.
Step 2	Deploy a separate ESXi host to run the controller. See Controller Host Requirements for more information.
Step 3	Download the agent and controller OVA files at http:/​/​www.cisco.com/​c/​en/​us/​support/​security/​ stealthwatch-learning-network-license/​tsd-products-support-series-home.html. See Downloading the OVA Files from Cisco for more information.
Step 4	Deploy the controller to the ESXi host using vSphere Client. Power on the virtual machine, and log into the controller VM console using the default administrator username (sln) and default administrator password (cisco). See Controller Deployment for more information.
Step 5	Run the setup-system setup script from the controller command line. Follow the script prompts to configure the network connection, NTP servers, and generate public key certificates. Verify your NTP configuration from the controller VM console. See Configuring the Controller with the Setup Script and Verifying NTP Configuration on the Controller for more information.
Step 6	Update the sca.conf controller configuration file to configure public key certificate management settings, then restart the controller processes. See Updating the Controller Configuration and Restarting Controller Processes for more information.
Step 7	Log into the controller web UI with the default administrator login (admin) and the default administrator password (cisco), then update administrator credentials. See Updating Administrator Credentials for more information.
Step 8	Configure NTP servers on your ISR. See NTP Configuration for more information.
Step 9	From the controller VM console, configure the install.yaml agent install properties file. See Agent Properties File Settings and Updating the Agent Properties File for more information.
Step 10	Run the installation_auto.py install and upgrade script from the controller to deploy the agent as a virtual service to an ISR. See Running the Install Script for more information.
Step 11	Log into the controller web UI with your updated administrator credentials. Register your controller with Smart Licensing. From the controller VM console, restart the controller's processes. See Registering the Controller Instance and Restarting the Controller Processes for more information.
Step 12	From the controller web UI, enable and configure your agents with the controller as described in Enabling Agents on the Controller and Configuring Agent Network Settings.
Step 13	Allow the system an initial learning phase to create a baseline model of your network traffic. See Initial Learning Phase Overview for more information.

---

Installation Prerequisites

When you deploy the Learning Network License system, obtain or configure the following:

• open ports for system functionality

• an ESXi host for the controller

• a Network Element capable of running the agent as a virtual service (container)

• the proper licensing for your Network Element

• the controller and agent OVA files

Communication Ports

Learning Network License requires several open ports for functionality, to allow communication between the controller and agents, and to allow users to access the controller UI. If a firewall or other security appliance sits between the controller and agents, or between the user and the controller, open these ports.

The following diagram illustrates this system functionality.

Figure 1. System Functionality Requiring Open Ports with an Agent Deployed as a Virtual Service

• Users, such as system administrators, can log into the controller web UI, and SSH login to agents.

• The controller sends information, such as mitigations, to the agent, and contacts NTP servers to synchronize time.

• The agent sends information, such as anomalies, log files, configuration files, and PCAP files, to the controller, and contacts NTP servers to synchronize time.

The following diagram illustrates the open ports and directionality. See Table 1 for more information on these ports.

Figure 2. Open Ports for System Functionality with an Agent Deployed as a Virtual Service

Table 1 Default Communication Ports for Learning Network License Features and Operation

Port	Description	Direction	Is Open for any...	To...
22/TCP	SSH/SCP	outbound from agent eth0 interface Management IP, inbound to controller IP	IP associated with the controller, Management IP associated with the agent	transfer log files and configuration files
22/TCP	SSH	outbound from host IP, inbound to agent eth0 interface Management IP	host IP that wants to SSH login to the agent	Optionally enable remote access to the agent administrator script when the agent is deployed as a virtual service
22/TCP	SSH	inbound from host IP to controller IP	host IP that wants to SSH login to the controller	optionally enable SSH login to the controller
123/UDP	NTP	outbound from the controller IP to an external NTP server	IP associated with the controller	synchronize time with agents deployed as virtual services
443/TCP	HTTPS	inbound from user IP to controller IP	host IP that wants to access the controller UI	access the controller UI
9091/TCP	TLS	outbound from controller IP to agent eth0 interface Management IP	IP associated with the controller	allow the controller to communicate with the agent
9092/TCP	packet buffer capture (PBC)	outbound from controller IP to agent eth0 interface Management IP	IP associated with the controller	enable PBC

Learning Network License and Licensing

To properly deploy your Learning Network License system, you must obtain the proper IOS Licenses for your ISRs, as well as the proper Smart Licenses for Learning Network License.

To run an agent on an ISR, you must activate an IP Base (ipbasek9) IOS license, and a Data (datak9) or App (appxk9) IOS license. See http:/​/​www.cisco.com/​c/​en/​us/​td/​docs/​routers/​access/​sw_activation/​SA_​on_​ISR.html for more information on activating the licenses.

You must also obtain the appropriate Smart License entitlement for each controller and agent you deploy.

Table 2 Smart License Entitlement Types

Learning Network License Component	License Entitlement and Description	Associated File Downloads and Description
controller	L-SW-SCA-K9 - SCA Virtual Manager	sln-sca-k9-<ver>.ova - single controller OVA
agent deployed as a virtual service on an ISR 43XX	L-SW-LN-43-1Y-K9 - Cisco Stealthwatch Learning Network License for 4300 Series 1 Yr Term L-SW-LN-43-3Y-K9 - Cisco Stealthwatch Learning Network License for 4300 Series 3 Yr Term	sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's NIM-SSD sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's bootflash
agent deployed as a virtual service on an ISR 44XX	L-SW-LN-44-1Y-K9 - Cisco Stealthwatch Learning Network License for 4400 Series 1 Yr Term L-SW-LN-44-3Y-K9 - Cisco Stealthwatch Learning Network License for 4400 Series 3 Yr Term	sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's NIM-SSD sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - agent deployed as a virtual service to the ISR's bootflash

Note	After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.

For more information on Smart Licensing, see http:/​/​www.cisco.com/​web/​ordering/​smart-software-manager/​smart-accounts.html.

In addition, you must generate a registration token in the Cisco Smart Software Manager (http:/​/​www.cisco.com/​web/​ordering/​smart-software-manager/​index.html), then use this to register your controller. Each time you manage and enable an agent with the controller, the controller automatically requests a license entitlement for the agent.

For more information about the Cisco Smart Software Manager, see the Cisco Smart Software Manager User Guide.

Controller Host Requirements

You can host a controller virtual appliance on a VMware ESXi Version 5.5 hosting environment. You can also enable VMware tools on all supported ESXi versions. For information on the full functionality of VMware Tools, see the VMware website (http:/​/​www.VMware.com). For help creating a hosting environment, see the VMware ESXi documentation.

Virtual appliances use Open Virtual Format (OVF) packaging. Cisco provides the controller and agent virtual appliances in Open Virtual Appliance (OVA) format, an archive version of the OVF file.

The computer that serves as the controller ESXi host must meet the following requirements:

• It must have a 64-bit CPU that provides virtualization support, either Intel® Virtualization Technology (VT) or AMD Virtualization™ (AMD-V™) technology.

• Virtualization must be enabled in the BIOS settings.

• To host virtual devices, the computer must have network interfaces compatible with Intel e1000 drivers (such as PRO 1000MT dual port server adapters or PRO 1000GT desktop adapters).

• This host must have network connectivity to all Network Elements where you will install your agents.

• Users such as administrators and analysts should be able to establish a connection to this host, to access the controller user interface.

For more information, see the VMware website: http:/​/​www.vmware.com/​resources/​guides.html.

Note	Installing the controller on a Network Element is not supported.

Controller Installation Prerequisites

Controller Download

Cisco provides the controller as an OVA file: sln-sca-k9-<ver>.ova. Download the file at http:/​/​www.cisco.com/​c/​en/​us/​support/​security/​stealthwatch-learning-network-license/​tsd-products-support-series-home.html.

Note	After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.

You must also download and install the latest version of VMware vSphere Client to install the virtual machine. Cisco recommends you also download and install VMware ESXi version 5.5 to run the virtual machine. Download the files at https:/​/​my.vmware.com/​web/​vmware/​downloads.

Controller Virtual Appliance Settings

Each virtual appliance you create requires a certain amount of memory, CPUs, and hard disk space on the ESXi host. Do not decrease the default settings, as they are the minimum required to run the system software. The following table lists the default settings.

Table 3 Default Controller Virtual Appliance Settings

Setting	Default
memory	24576 MB (24 GB)
virtual CPUs (vCPU)	4
virtual NICs	vNIC 0 - Main Network vNIC 1 (disconnected) - Alt1 Network vNIC 2 (disconnected) - Alt2 Network
hard disk provisioned size	200 GB

When you start the VM, the controller determines the amount of physical RAM available, and updates the configuration to allow use of up to half of that RAM.

Cisco recommends you increase VM settings, depending on the size of your Learning Network License deployment. See the following table for recommendations.

Table 4 Recommended Controller VM Settings

Learning Network License Deployment Size	Recommended VM Settings
1 to 50 agents	24576 MB (24 GB) of RAM 8 vCPU 400 GB of hard disk provisioned size
51 to 1000 agents	65536 MB (64 GB) of RAM 16 vCPU 4 TB of hard disk provisioned size

Note	The number of vCPUs is determined by multiplying the number of virtual sockets by the number of cores per socket.

If you increase the memory, number of vCPUs and cores/socket (default is 4), or the hard disk size, see http:/​/​www.vmware.com/​ for more information and best practices.

Information Needed During Installation

When you run the setup script, provide the following information to configure the controller:

Table 5 Controller Installation Settings

Setting	Description
eth0 interface IPv4 address, netmask, and gateway	transfer management traffic with agent, and provide access to controller web UI
eth0 interface hostname	hostname for the controller
eth0 interface DNS servers and DNS search suffixes	DNS context for anomalies
NTP server IPv4 addresses	synchronize time in Learning Network License system

The setup script allows you the option of generating self-signed certificates. If you generate a certificate for the controller web UI server, you can define the following subject distinguished name components:

Table 6  Self-Signed Certificate Subject Distinguished Name Options

Option	Description
Country Name	A two-letter ISO 3166-1 country code
State or Province Name	Full name of the state or province where your organization is located
Locality Name	The city where your organization is located
Organization Name	Your organization's name
Organizational Unit Name	Your organization's division's name
Common Name	A host and domain name associated with the certificate
Email Address	A contact email address

Learning Network License requires a server certificate to encrypt controller/agent communications, and a server certificate to encrypt user connections to the controller web user interface.

ISR Platform Requirements

Several 4000 Series ISRs support hosting an agent in a service container. You can optionally install a solid state drive (SSD) carrier and SSD network interface module (NIM-SSD) for the agent. For more information on the 4000 Series ISRs, see http:/​/​www.cisco.com/​c/​en/​us/​td/​docs/​routers/​access/​4400/​roadmap/​isr4400roadmap.html.

ISR 4000 Series Platform Requirements

Table 7 ISR 4000 Series Platform Requirements

ISR Component	Required
Model	Cisco 4331 Cisco 4351 Cisco 4431 Cisco 4451
Control Plane DRAM	8192 MB (8 GB)
Disk Storage for Service Container Hosting	If you deploy your virtual service to bootflash, no additional equipment is required. If you want to deploy your virtual service to a hard disk, to achieve much larger storage capacities, you must install: NIM-SSD(=) - NIM carrier card for SSD drives SSD-SATA-200G(=) - 200 GB SATA solid state disk for NIM-SSD, 155 GB free See Agent Installation Prerequisites for more information.
Complex Programmable Logic Device	Version 15010638 or greater
Image	IOS-XE Release 15.4(3)S1 through 15.5(3)Sx Note    IOS-XE Release 15.4(3)S2 and prior do not support deploying a virtual service to bootflash. You must deploy a virtual service to a NIM-SSD for these releases, or upgrade to Release 15.5(3)S to deploy the virtual service to bootflash.
NBAR2 Protocol Pack	Version 15.0.0 or greater (IOS-XE 15.4(3)S1 through 15.5(3)S) Version 17.0.0 or greater (IOS-XE 15.5(3)S, rebuild 2 or greater
Licenses	Cisco 4331: SL-4330-IPB-K9 - IP Base license, and SL-4330-APP-K9 - AppX license Cisco 4351: SL-4350-IPB-K9 - IP Base license, and SL-4350-APP-K9 - AppX license Cisco 44XX: SL-44-IPB-K9 - IP Base license, and SL-44-DATA-K9 or SL-44-APP-K9 - Data license or AppX license See http:/​/​www.cisco.com/​c/​en/​us/​products/​collateral/​routers/​4000-series-integrated-services-routers-isr/​guide-c07-732797.html#_​Toc424288435 for more information.

Verifying ISR Platform Requirements

Before You Begin

• Log into the ISR console.

Procedure

	Command or Action	Purpose
Step 1	enable Example:Router> enable	Enable privileged EXEC mode.
Step 2	show version Example:Router# show version	Show version information, including image version, installed ISR licenses, and control plane DRAM.
Step 3	show platform Example:Router# show platform	Show the Complex Programmable Logic Device version.
Step 4	show ip nbar protocol-pack active Example:Router# show ip nbar protocol-pack active	Show the NBAR2 protocol pack version.
Step 5	exit Example:Router# exit	Exit privileged EXEC mode.

Example ISR Platform Requirements

Issuing the show version command to your ISR allows you to view your image version, installed licenses, and the total control plane DRAM on the ISR. These are italicized below. Note that appxk9 corresponds to the AppX license, and ipbasek9 corresponds to the IP Base license.

Router> enable

Router# show version
Cisco IOS XE Software, Version 2016-05-16_22.05.paj
Cisco IO Software, ISR Software (X86_64_LINUX_IOSD-UNIVERSALK9-M), Version 15.5(3)s2, RELEASE SOFTWARE (fc2)

...

Technology Package License Information:

––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––-
Technology    Technology-package           Technology-package
              Current       Type           Next reboot
–––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––––--
appxk9        appxk9        RightToUse     appxk9 [AppX license]
uck9          None          None           None
securityk9    None          None           None
ipbase        ipbasek9      Permanent      ipbasek9 [IP Base license]

cisco ISR4431/K9 (1RU) processor with 7799569K/6147K bytes of memory.

...

Issuing the show platform command to your ISR allows you to view the Complex Programmable Logic Device (CPLD) version, italicized below.

Router# show platform
Chassis type: ISR4431/K9

Slot       Type              State                    Insert time (ago)
–––––––––- ––––––––––––––––– –––––––––––––––––––––––– –––––––––––––––––--

...

Slot       CPLD Version           Firmware Version
–––––––––- –––––––––––––––––––––– –––––––––––––––––––––––––––––––––––––--
0          15010638               15.4(2r)S
R0         15010638               15.4(2r)S
F0         15010638               15.4(2r)S

Issuing the show ip nbar protocol-pack active command to your ISR allows you to view the NBAR2 protocol pack version, italicized below.

Router# show ip nbar protocol-pack active


Active Protocol Pack:


Name:                            Advanced Protocol Pack
Version:                         17.0
Publisher:                       Cisco Systems Inc. 

...

ISR Configuration Prerequisites

Information Needed for ISR Configuration

When you configure the ISR's NTP servers and flexible NetFlow, provide the following information:

Table 8 ISR Configuration Settings

Setting	Description
loopback interface IPv4 address or router management interface	configure NTP server connectivity. Use a loopback interface if you have one configured, or the router management interface if you do not.
NTP server IPv4 addresses	synchronize time in Learning Network License system
agent eth0 IPv4 address for NetFlow exporter	pass NetFlow packets from the ISR to the agent and traffic between the controller and the agent

ISR License Installation

To run an agent on an ISR 4000 Series, you must activate an IP base (ipbasek9) IOS license, and an App (appxk9) IOS license, on the ISR. See http:/​/​www.cisco.com/​c/​en/​us/​td/​docs/​routers/​access/​sw_activation/​SA_​on_​ISR.html for more information on activating the licenses.

Agent and ISR Interaction

The following diagram illustrates the interaction between an agent and its host ISR.

Figure 3. ISR and Agent Deployed as a Virtual Service

The diagram shows an agent deployed as a virtual service, named sln, on the host ISR. The virtual service contains two virtual interfaces:

• VirtualPortGroup1, used as the virtual service's eth0 interface. This is the Management interface, which handles controller/agent communication, including mitigations and anomalies. This is also the Control interface, which handles agent/router communication, including passing NetFlow packets from the router to the agent, and passing mitigations from the agent to the router.

  Configure eth0 on the virtual service with a routable IP address, so the controller can reach the agent. Configure VirtualPortGroup1 using ip unnumbered, and a router interface that the controller can reach.

• VirtualPortGroup2, used as the virtual service's eth1 interface. This is the Data Transfer interface, which handles raw packet data passed from the router to the agent. These raw packets are used for packet buffer capture and deep packet inspection.

  Traffic over the data connection does not leave the router. Configure the virtual service interface and VirtualPortGroup2 using private IP addresses.

Agent Installation Prerequisites

The agent runs as a virtual service on your ISR. You can deploy the virtual service either to the ISR's bootflash, or to an optional 200 GB NIM-SSD. In general, agents deployed to bootflash offer less storage space for file retention than agents deployed to a NIM-SSD. See the following table for an overview of these differences.

Table 9 Agent Deployment as Virtual Service Comparison

Feature	Agent Deployed to bootflash	Agent Deployed to NIM-SSD
Default virtual service settings	Lower hard disk provisioned size setting.	Higher hard disk provisioned size setting.
packet buffer capture (PBC)	Lesser file storage allocation for PBC. PCAP file storage is volatile; if the ISR restarts, PCAPs are lost.	Greater file storage allocation for PBC. PCAP file storage is stable; if the ISR restarts, PCAPs are retained.
log files	Lower file storage allocation for log files. Log file storage is volatile; if the ISR restarts, log files are lost.	Greater file storage allocation for log files. Log file storage is stable; if the ISR restarts, log files are retained.

See ISR 4000 Series Platform Requirements for more information.

Note	You must download the virtual service OVA file. You cannot install the UCS E-Series blade server OVA file as a virtual service.

Agent Configuration Prerequisites

Agent OVA Download

Cisco provides the agent as one of two OVA files: sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova to install on the ISR's NIM-SSD, and sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova to install on the ISR's bootflash. Download the file at http:/​/​www.cisco.com/​c/​en/​us/​support/​security/​stealthwatch-learning-network-license/​tsd-products-support-series-home.html.

Note	After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.

Agent Virtual Service Settings

Each agent you deploy as a virtual service requires a certain amount of memory, CPUs, and hard disk space. The following table lists the default settings.

Table 10 Default Agent as a Virtual Service Settings

Setting	Default
memory	3072 MB (3 GB)
virtual CPUs	2
hard disk provisioned size	250 MB (when deployed to bootflash) 150 GB (when deployed to a NIM-SSD)

Agent Install Script

The controller contains an agent install script you can use to deploy the agents as virtual services. See Install Script Deployment and Agent Properties File Settings for more information.

NTP Configuration

The agent deployed as a virtual service receives time from the host router. You must configure the router and the controller with synchronized NTP server addresses to ensure synchronized time.

Downloading the OVA Files from Cisco

Note	After you download a file from cisco.com, generate an MD5 or SHA512 checksum, and make sure it matches the MD5 or SHA512 checksum provided on cisco.com. If the checksums do not match, redownload the file. If the checksums still do not match, contact Cisco Support.

Procedure

---

Step 1	In your web browser, navigate to http:/​/​www.cisco.com/​c/​en/​us/​support/​security/​stealthwatch-learning-network-license/​tsd-products-support-series-home.html. Enter your username and password when prompted.
Step 2	Download the controller OVA file: sln-sca-k9-<ver>.ova
Step 3	Download an agent OVA file: sln-dla-isr4k-cont-150Gs-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on an ISR's NIM-SSD sln-dla-isr4k-cont-250Ms-3Gr-k9-<ver>.ova - contains the agent to be deployed as a virtual service on an ISR's bootflash

---

Obtaining a File's Checksum from cisco.com

Before You Begin

• Go to the file download page on cisco.com.

Procedure

---

Step 1	Click the File Information file name to view the file's details, which includes the MD5 and SHA512 checksums.
Step 2	Click the ellipsis (…) to view the full SHA512 checksum.

---

Controller Deployment

Cisco provides the controller as a downloadable OVA file. You can deploy this OVA file to a host running an ESXi hypervisor.

Before you start the controller VM, you can update the memory, number of vCPUs, and hard disk space in vSphere vCenter. If you increase the memory, you must start the VM, then run the setup-system script. After you run the script, the VM is updated with proper memory settings.

If your controller is already running, and you want to update the memory settings, run the setup-system script, stop the VM, update the memory settings, and start the VM. On restart, the VM is updated with proper memory settings.

See Controller Installation Prerequisites for more information on recommended controller VM settings, based on deployment size.

Note	For a given version of the Learning Network License system, only the version of Ubuntu Linux shipped with the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agent VMs.

The first time you log into the virtual machine, the system prompts you to change the default administrator password.

Deploying the OVA File

As you map destination networks to interfaces, note that only eth0 is enabled by default. For many deployments, controller management traffic, agent traffic, and controller web UI user traffic are reachable from the same controller network interface. In this case, you can map that destination network to the eth0 interface. You can also leave the eth1 and eth2 interfaces disabled, and mapped to a separate destination network.

However, if these traffic types are reachable via different controller network interfaces, you can enable eth1, eth2, or both eth1 and eth2, then map them to the appropriate destination networks.

Before You Begin

• Download the OVA file.

• Download VMware vSphere Client from https:/​/​my.vmware.com/​web/​vmware/​downloads and install it.

Procedure

---

Step 1	Open vSphere Client, and connect to the ESXi hypervisor where you want to install the OVA file.
Step 2	Select File > Deploy OVF Template.
Step 3	Click Browse to select your OVA file, then click Next.
Step 4	Review the OVF Template Details, then click Next.
Step 5	Enter a Name, select an inventory location, then click Next.
Step 6	Click the Thick Provision Lazy Zeroed radio button, then click Next.
Step 7	Select a Destination Network from your inventory to map to a Source Network. You can map the following default networks, then click Next. eth0 to Main Network eth1 (disconnected) to Alt1 Network eth2 (disconnected) to Alt2 Network Note    If you only need to configure eth0, you can map eth1 and eth2 to the same network.
Step 8	Review your deployment settings and click Finish. Note    The deployment may take 30 minutes to an hour or longer, depending on your environment.
Step 9	Click Close after the deployment completes.

---

What to Do Next

• Power on the virtual machine and login, as described in the next section.

Powering On the Virtual Machine

Before You Begin

• Deploy the OVA file to the ESXi hypervisor, as described in the previous section.

Procedure

---

Step 1	Open vSphere Client, and connect to the ESXi hypervisor where you deployed the virtual machine.
Step 2	Select Home > Inventory > VMs and Templates.
Step 3	Select the virtual machine from the navigation tree.
Step 4	Select Inventory > Virtual Machine > Power > Power On.
Step 5	Click the Console tab, then click in the console pane to shift your focus to the virtual machine console. Note    To shift your focus from the virtual machine console to your local host, press Ctrl-Alt.
Step 6	Log in with the default administrator username (sln) and the default administrator password (cisco). When prompted, change the default administrator password.

---

Controller Virtual Hard Disk Storage

By default, the controller OVA ships configured with a 200 GB hard disk. Based on your deployment and the recommended settings, you can configure the deployed controller VM to expand the available hard disk storage space by either:

• increasing the existing virtual hard disk storage allocation with an expanded partition or another partition, when the existing VMware storage area has sufficient space, or

• adding a new virtual hard disk, when the existing VMware storage area has insufficient space.

Note	Follow the procedures carefully. Failure to follow them can result in corruption or loss of the controller VM filesystem.

Controller Virtual Hard Disk Allocation Expansion

To add space to the controller VM hard disk, configure the VM's settings in VMware vSphere to increase the size of the hard disk. Then, from the VM's command line, run parted to extend an existing virtual hard disk partition. Finally, issue commands to expand the filesystem size for the new hard disk.

Note	You can only extend a hard disk partition to 2 TB. If you need more space, you can use cfdisk to instead add another virtual hard disk partition.

By default, the controller ships with one virtual hard disk, sda and up to partition number 5 (sda5). The first time you add a partition to this virtual hard disk, increment the name by one (sda6). If you want to add another partition, increment the name of the most recent hard disk partition by 1 (sda7, sda8, and so on).

Editing VM Settings to Increase Virtual Hard Disk Size

Before You Begin

• Connect to the ESXi hypervisor using VMware vSphere.

Procedure

---

Step 1	Select Home > Inventory > VMs and Templates.
Step 2	Right-click the controller VM and select Edit Settings.
Step 3	In the Hardware tab, select Hard disk 1.
Step 4	Enter a new Provisioned Size to update the virtual hard disk provision.
Step 5	Click OK.
Step 6	Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.
Step 7	Right-click the controller VM and select Power > Power On.

---

Adding a New Virtual Hard Disk Partition Larger than 2 TB

Use cfdisk to create a new virtual hard disk partition larger than 2 TB. The controller OVA contains one virtual hard disk by default, sda. This virtual hard disk contains partitions up to number five (sda5). The following task assumes you have not created another virtual hard disk partition, directing you to increment the highest virtual hard disk partition name by one to create the sda6 partition. If you have created other virtual hard disk partitions for the sda virtual hard disk, increment the new partition name based on the existing virtual hard disk partitions (sda7, sda8, etc.).

Before You Begin

• Use VMware vSphere to log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	sudo cfdisk /dev/sda, then enter your password when prompted Example:user@host:~$ sudo cfdisk /dev/sda	Run the cfdisk partition editor to create the sda6 partition.
Step 2	Move your cursor to the last line containing Free space, and verify the size column roughly matches the amount of space you added.	Verify that the partition size is correct. If it is not, restart the controller VM and restart this procedure from the beginning.
Step 3	n to create a new partition	Create a new partition.
Step 4	Select Logical and press Enter.	Create a logical partition.
Step 5	Press Enter to accept the default size.	Create the partition with the free space displayed.
Step 6	t to change the filesystem type to 8E	Change the filesystem type to 8E (Linux LVM).
Step 7	W to write the new partition table, then yes to confirm	Write the new partition table.
Step 8	q to quit cfdisk	Quit cfdisk.

Updating the Filesystem for the New Virtual Hard Disk Partition

The controller VM was provisioned with Linux LVM2 (Logical Volume Manager) tools. The following procedures uses the LVM2 tools to register the new partition as a physical volume, add the new physical volume to the existing volume group, and extend the logical volume over the new physical volume while simultaneously resizing the Linux filesystem to recognize the additional space.

Before You Begin

• Use VMware vSphere to log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	sudo partprobe -s Example: user@host:~$ sudo partprobe -s	Update the /dev filesystem to include /dev/sda6 as a new virtual hard disk partition.
Step 2	sudo pvcreate /dev/sda6 Example: user@host:~$ sudo pvcreate /dev/sda6	Create a physical volume for a new partition on the sda virtual hard disk.
Step 3	sudo vgdisplay Example: user@host:~$ sudo vgdisplay	View the name of the volume group.
Step 4	sudo vgextend <volume-group> /dev/sda6 Example: user@host:~$ sudo vgextend vg00 /dev/sda6	Add the new volume to the volume group.
Step 5	sudo lvextend -r /dev/<volume-group>/root /dev/sda6 Example: user@host:~$ sudo lvextend -r /dev/vg00/root /dev/sda6	Add the new volume to the root logical volume and resize the root filesystem.

Controller Virtual Hard Disk Addition

To add a virtual hard disk on the controller VM, configure the VM's settings in VMware vSphere to recognize a new hard disk. Then, from the VM's command line, run cfdisk to create the new virtual hard disk, and issue commands to expand the filesystem size for the new hard disk.

By default, the controller ships with one virtual hard disk, sda. The first time you add a virtual hard disk, increment the name by one (sdb). If you want to add another virtual hard disk, increment the name of the most recent hard disk by 1 (sdc, sdd, and so on).

Editing VM Settings for a New Hard Disk

Before You Begin

• Connect to the ESXi hypervisor using VMware vSphere.

Procedure

---

Step 1	Select Home > Inventory > VMs and Templates.
Step 2	Right-click the controller VM and select Edit Settings.
Step 3	In the Hardware tab, click Add.
Step 4	Select Hard Disk and click Next.
Step 5	Select Create a new virtual disk and click Next.
Step 6	Enter a Disk Size and click Next.
Step 7	Click Next to skip the Advanced Options screen.
Step 8	Click Finish.
Step 9	Click OK in the Virtual Machine Properties window.
Step 10	Right-click the controller VM and select Power > Shut Down Guest. Wait for the VM to power off.
Step 11	Right-click the controller VM and select Power > Power On.

---

Adding a New Hard Disk

Use cfdisk to create a disk partition on the new virtual hard disk. The controller OVA contains one virtual hard disk by default, sda. The following task assumes you have not created another virtual hard disk, directing you to increment the existing virtual hard disk name by one to create the sdb virtual hard disk. If you have created other virtual hard disks for the controller, increment the new virtual hard disk name based on the existing virtual hard disks (sdc, sdd, etc.).

Before You Begin

• Use VMware vSphere to log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	sudo cfdisk /dev/sdb, then enter your password when prompted Example:user@host:~$ sudo cfdisk /dev/sdb1	Run the cfdisk partition editor to create the sdb1 partition on the sdb virtual hard disk. The table contains one line, with the free space equal to the total disk size.
Step 2	n to create a new partition	Create a new partition.
Step 3	Select Primary and press Enter.	Create a virtual hard disk.
Step 4	Press Enter to accept the default size.	Create the virtual hard disk with the free space displayed.
Step 5	t to change the filesystem type to 8E	Change the filesystem type to 8E (Linux LVM).
Step 6	W to write the new partition table, then yes to confirm	Write the new partition table.
Step 7	q to quit cfdisk	Quit cfdisk.

Updating the Filesystem for the New Hard Disk

Before You Begin

• Use VMware vSphere to log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	sudo partprobe -s Example: user@host:~$ sudo partprobe -s	Update the filesystem to include /dev/sdb as a new virtual hard disk.
Step 2	sudo pvcreate /dev/sdb1 Example: user@host:~$ sudo pvcreate /dev/sdb1	Create a physical volume for a new partition on the sdb hard disk.
Step 3	sudo vgdisplay Example: user@host:~$ sudo vgdisplay	View the name of the volume group.
Step 4	sudo vgextend <volume-group> /dev/sdb1 Example: user@host:~$ sudo vgextend vg00 /dev/sdb1	Add the new volume to the volume group.
Step 5	sudo reboot Example: user@host:~$ sudo reboot	Restart the controller VM.
Step 6	Log into the controller VM console.	Log into the controller VM console.
Step 7	sudo lvextend -r /dev/<volume-group>/root /dev/sdb1 Example: user@host:~$ sudo lvextend -r /dev/vg00/root /dev/sdb1	Add the new volume to the root logical volume and resize the root filesystem.
Step 8	sudo reboot Example: user@host:~$ sudo reboot	Restart the controller VM.

Custom Controller Web UI Certificates

The controller web server uses Transport Layer Security (TLS) to encrypt connections to the controller web UI. This requires the server to present a certificate to the client browser. Using the self-signed certificate installed by default does not allow the browser to validate the authenticity of the controller web UI, and leads to browser warnings about an untrusted web server. Instead of using a self-signed certificate, you can upload to the controller a custom public key server certificate and private key generated by your organization. This allows clients that connect to the controller web UI to properly validate the web server's authenticity. Note the following:

• You must upload both a server certificate and associated private key. Both must be in PEM format.

• You can also upload a trust chain of issuing CA certificates for the server certificate, concatenated with the server certificate in a single PEM file.

• You can upload an encrypted private key file. You must also create an additional file (sln_ssl.pass) with the cleartext password required to unencrypt the private key file.

After you make these changes, restart the controller web UI processes.

Note	When you run the setup-system script, do not generate a new controller web UI certificate, as this will overwrite your custom certificate and private key. See Configuring the Controller with the Setup Script for more information.

Uploading a Private Key Password

If your private key file is encrypted, you must create an sln_ssl.pass password file containing the cleartext password. After you create the file, you update the sln_ssl_certs.conf configuration file to point to the password file. See Uploading Custom Controller Web UI Certificates for more information.

Before You Begin

• Log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	cd /etc/ssl/private/ Example:user@host:~$ cd /etc/ssl/private/	Change to the /etc/ssl/private/ directory.
Step 2	cat > sln_ssl.pass, then enter your password as cleartext, then press Ctrl + D. Example: user@host:~/etc/ssl/private$ cat > sln_ssl.pass private-key-password	Create the sln_ssl.pass password file, containing the private key cleartext password.
Step 3	cat sln_ssl.pass to verify the password Example: user@host:~/etc/ssl/private$ cat sln_ssl.pass	Verify that the sln_ssl.pass password file contains the correct cleartext password.

What to Do Next

• Continue updating the configuration for your custom certificate and private key, as described in the next section.

Uploading Custom Controller Web UI Certificates

Before You Begin

• Log into the controller VM console.

• Upload your custom controller web UI server certificate, and chain of issuing CA certificates if applicable, in PEM format to the controller at etc/ssl/certs.

• Upload your custom controller web UI server certificate private key in PEM format to the controller at /etc/ssl/private.

Procedure

	Command or Action	Purpose
Step 1	cd /opt/cisco/sln/viz/conf/ Example:user@host:~$ cd /opt/cisco/sln/viz/conf/	Change to the /opt/cisco/sln/viz/conf/ directory.
Step 2	sudo vi sln_ssl_certs.conf, then enter your password when prompted Example:user@host:~/opt/cisco/sln/viz/conf$ sudo vi sln_ssl_certs.conf	Open ssln_ssl_certs.conf in the vi text editor as a superuser.
Step 3	Modify the ssl_certificate filepath to point to the custom server certificate PEM file. Example: ssl_certificate /etc/ssl/certs/server-certificate.pem	Update sln_ssl_certs.conf to point to your custom server certificate.
Step 4	Modify the ssl_certificate_key filepath to point to the custom server certificat private key PEM file. Example: ssl_certificate_key /etc/ssl/certs/server-certificate-key.pem	Update sln_ssl_certs.conf to point to your custom server certificate private key.
Step 5	If you uploaded an sln_ssl.pass password file, add ssl_password_file and a corresponding filepath after the ssl_certificate_key filepath. Example: ssl_certificate_key /etc/ssl/certs/server-certificate-key.pem ssl_password_file /etc/ssl/private/sln_ssl.pass	Update sln_ssl_certs.conf to point to your private key password file.
Step 6	Press Esc, then enter :wq!. Example::wq!	Save your changes, then exit the vi text editor.
Step 7	sudo service ciscosln-viz restart Example:user@host:~/opt/cisco/sln/viz/conf$ sudo service ciscosln-viz restart	Restart the controller web UI service.

Configuring the Controller with the Setup Script

If you need multiple interfaces on multiple subnets, when configuring networking, you can also configure eth1 and eth2.

Before You Begin

• Log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	cd ~/ Example:user@host:~$ cd ~/	Change directories.
Step 2	sudo ./setup-system at the command prompt to run the setup script. Enter the administrator password if prompted. Example:user@host:~$ sudo ./setup-system	Run the setup script.
Step 3	y (configure networking)	Configure networking.
Step 4	1 (configure eth0)	Configure the eth0 interface.
Step 5	hostname, then hostname, then y to confirm	Configure the controller VM hostname. You must enter a full qualified domain name.
Step 6	ipv4, then ipv4-address, then ipv4-netmask, then ipv4-gateway, then y to confirm	Configure the interface's IPv4 address, along with a netmask and gateway.
Step 7	dns, then dns-servers, then y to confirm	Modify the virtual machine's list of DNS servers.
Step 8	search, then domain-suffixes, then y to confirm	If you want to configure the domain suffix search list, run the search command.
Step 9	view	View the interface's network settings, hostname, and DNS settings. If any of these are missing or incorrect, repeat that configuration.
Step 10	exit	Save your changes and continue with interface configuration.
Step 11	4 (exit interface configuration)	Exit interface configuration and continue.
Step 12	y (enable SSH login)	Enable SSH login.
Step 13	y, then ntp-servers, then y to confirm	Configure NTP servers used to synchronize time between the controller and agent. Enter a space-delimited list of NTP server fully-qualified domain names (FQDNs) or IPv4 addresses.
Step 14	y (generate a controller certificate)	Generate a controller self-signed certificate, used for encrypting controller/agent communication.
Step 15	y (generate a controller web UI certificate), or n if you uploaded a custom certificate	Generate a controller web UI self-signed certificate, used for encrypting user connections to the controller web user interface.
Step 16	y (specify the distinguished name if you generated a new certificate)	Optionally, specify the certificate subject distinguished name (DN).
Step 17	country-code, then state, then locality, then organization, then organizational-unit, then common-name, then email if you generated a new certificate	Optionally, provide the DN information.

Resetting the Administrator Password

After you run the setup-system script, reset the controller web UI administrator user account (admin) password. When you reset the password, the system prints a temporary password to the console, valid for 72 hours. You must log into the controller web UI as the admin user account, then update your password.

Procedure

	Command or Action	Purpose
Step 1	cd ~/SCA Example:user@host:~$ cd ~/SCA	Change directories to ~/SCA.
Step 2	sudo service ciscosln-sca stop, then enter your password when prompted Example:user@host:~/SCA$ sudo service ciscosln-sca stop	Stop the controller processes.
Step 3	./sca.sh reset-admin-password Example: user@host:~/SCA$ ./sca.sh reset-admin-password user@host:~/SCA$ Resetting the admin password in sln user@host:~/SCA$ New password is 'AbCd1234' user@host:~/SCA$ Admin password reset done.	Reset the admin user account's password.
Step 4	sudo service ciscosln-sca start Example:user@host:~/SCA$ sudo service ciscosln-sca start	Start the controller processes.

Disabling Host Time Synchronization

After you reset the administrator password, configure the VM to disable host time synchronization. This ensures the VM synchronizes time with the configured NTP servers, instead of the ESXi host.

Before You Begin

• Log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	vmware-toolbox-cmd timesync disable Example: user@host:~$ vmware-toolbox-cmd timesync disable	Modifies the .vmx virtual machine configuration file to disable time synchronization with the ESXi host.

Logging into the Controller Web UI

When you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account (admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must change the password and confirm the new password.

Procedure

In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and password when prompted.

Verifying NTP Configuration on the Controller

Before You Begin

• Log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	ntpq –n –p Example:user@host:~$ ntpq –n –p	Display configured NTP servers. If the system does not display configured NTP servers, repeat NTP configuration in Configuring the Controller with the Setup Script.

What to Do Next

• Update the controller certificate configuration settings, as described in the next section.

Controller Certificate Management

Modify the controller configuration file to update certificate management settings. You can enable the controller to use self-signed agent certificates, and enable TOFU. After this, restart the controller processes.

Updating the Controller Configuration

The sca.conf configuration file contains several layers of nested brackets. When you update the file to add or update the dla node, make sure that you nest it within the sln bracket. See the following for an example.

sln {
  dla {
    security {
      allowSelfSignedCert = true
      trustCertOnFirstUse = true
      certRollover = true
    }
  }
}

You can also reference ~/SCA/sample_sca.conf for an example of syntax.

Before You Begin

• Log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	cd ~/SCA Example:user@host:~$ cd ~/SCA	Change to the /SCA directory.
Step 2	sudo vi sca.conf, then input your password when prompted Example:user@host:~/SCA$ sudo vi sca.conf	Edit the sca.conf configuration file.
Step 3	Update the configuration file to include or modify the configuration.	Update the configuration file to include allowSelfSignedCert = true, trustCertOnFirstUse = true, and certRollover = true.
Step 4	Press Esc, then enter :wq! and press Enter.	Save your changes and exit the editor.

What to Do Next

• Restart the controller's processes, as described in the next section.

Restarting Controller Processes

Before You Begin

• Log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	cd ~/SCA Example:user@host:~$ cd ~/SCA	Change to the /SCA directory.
Step 2	sudo service ciscosln-sca restart Example:user@host:~/SCA$ sudo service ciscosln-sca restart	Restart the controller processes.

Updating Administrator Credentials

Update your administrator credentials to log into the controller web UI. In a later step, the install script, located on the controller, adds deployed agents to the controller using these updated administrator credentials.

When you installed the controller, you defined an IP address for the controller web UI. Use the default login password (cisco) for the administrator user account (admin). After you log in once, you must change the password and confirm the new password.

Procedure

In your web browser, navigate to https://sca-ip-address, then enter your controller web username and password when prompted.

What to Do Next

• Configure your ISR's NTP settings, as described in the next section.

NTP Configuration

To configure NTP server addresses on the ISR, associate the router management interface with the NTP servers. Alternatively, if you have a loopback interface already configured, you can use that instead to reference NTP servers.

Configuring NTP on the ISR

The agents deployed as a virtual service receive time from the host router. You must configure NTP servers on the ISR to ensure Learning Network License timestamps match, and to ensure that the system properly displays anomalies.

Note	NTP configuration is not required for deploying a virtual service. However, if you incorrectly configure NTP server domain names or IP addresses on the ISR, you cannot deploy virtual services to it. Correctly enter the NTP server domain names or IP addresses.

You can enter each command individually. You can also paste the commands from the example below into a text editor, update the variable, then paste all the updated commands into the command line.

enable
ntp source GigabitEthernet0/0/0
ntp server <ipv4-addresses>
exit

If you have an existing loopback interface, use that as the NTP source interface. Otherwise, use the router management interface.

Procedure

	Command or Action	Purpose
Step 1	enable Example:Router> enable	Enable privileged EXEC mode. Enter your password if prompted.
Step 2	ntp source GigabitEthernet0/0/0 Example:Router# ntp source GigabitEthernet0/0/0	Use the GigabitEthernet0/0/0 interface to connect to an NTP server.
Step 3	ntp server ipv4-addresses Example:Router# ntp server 209.165.202.129 209.165.202.130	Use the GigabitEthernet0/0/0 interface to connect to an NTP server. Define multiple addresses to specify backup NTP servers.
Step 4	show ntp association Example:Router# show ntp association	Display configured NTP servers. If the system does not display correctly configured NTP servers, repeat the configuration process.
Step 5	exit Example:Router# exit	Exit privileged EXEC mode.

Install Script Overview

The controller includes an agent install and upgrade properties file (install.yaml), and an agent install script (installation_auto.py) . Running the agent install script requires configuring the agent install and upgrade properties file with agent, ISR, and network settings. You can configure the file to deploy multiple agents at one time. This file contains global settings, which apply to all deployed agents, and branch-specific settings, which apply only to one ISR and agent.

Note	For a given version of the Learning Network License system, only the version of Ubuntu Linux shipped with the controller and agents is supported. Do NOT upgrade Ubuntu Linux on the controller or agent VMs.

When you run the install script, it reads the properties file, and does the following for each agent:

• uploads the OVA file to the ISR

• configures flexible NetFlow for Learning Network License

• configures a virtual service named sln and deploys the agent

• configures ISR and agent network settings

• adds the new agent to the controller

ISR Hardware Configuration

Before you deploy your agents as virtual services, ensure that your ISRs have enough RAM and the proper hardware installed, as described in ISR 4000 Series Platform Requirements.

For more information on hardware installation, see the Hardware Installation Guide for the Cisco 4000 Series Integrated Services Router, at http:/​/​www.cisco.com/​c/​en/​us/​td/​docs/​routers/​access/​4400/​hardware/​installation/​guide4400-4300/​C4400_​isr.html.

Install Script Deployment

Install Script Diagram

An agent may be installed as a virtual-service (container) in an ISR 4331, 4351, 4431, or 4451 router by running the installation_auto.py install and upgrade script. The controller contains the script, which you run from the controller command line. The script issues configuration commands on the router and the newly-created agent. It also adds the agent to the controller, so the user can issue further configuration changes from the controller web UI.

The script references the install.yaml properties file, also located on the controller. The following diagram tracks the various properties in the deployment process.

Figure 4. ISR and Agent Deployed as a Virtual Service

Agent Copy

The arrow labeled copy (scp) demonstrates the install script copying the agent .ova file from a network location of your choice to the Network Element (4331, 4351, 4431, or 4451 router). In this example, the script copies the file from the deployed controller using the SCP protocol to the ISR.

For all commands issued to the ISR, the script uses the configured credentials (ne_username, ne_password) to connect to the network element (ne_ctl_ip).

The following properties control how the script copies the file:

• src_host - the network location where the agent .ova file is copied from

• src_username - username used by the script to log into this network location

• src_password - password used by src_username

• src_ova_path - filepath and filename on the host where the agent .ova file is located

• dst_store - whether the script copies the .ova file to the branch router harddisk or bootflash

Cisco recommends you define the controller as the source host, upload the .ova to the controller, and copy the file to all branch routers.

Agent Virtual Service Creation

The center of the diagram shows the commands the script uses to create, install, and activate the agent as a virtual-service (container), and references the properties file to apply values to the variables.

The script creates the virtual-service with two virtual interfaces, using the interface VirtualPortGroup commands:

• ctl/mgmt - The control and management interface, used for agent/controller communication, to install mitigation policies on the router, and to receive NetFlow records from the router. This is VirtualPortGroup 1 on the router, and eth0 on the agent.

  The script configures the ctl/mgmt interface without an IP address, (using ip unnumbered), referencing the name of a router interface (parent-if-name) whose IP address is reachable by the controller.

  The script also configures an ip route on the agent with a routable IP address (dla_ctl_ip) so the router forwards packets from the controller to the agent over the ctl/mgmt interface.

  Note that you configure credentials for the agent to log into the router (dla_ne_login: username, dla_ne_login, password), to install mitigation policies, and collect information from the router.

• data xfer - The data transfer interface, used to send raw packet data from the router to the agent, when packet buffer capture (PBC) or DNS deep packet inspection (DNS/DPI) are enabled. This is VirtualPortGroup 2 on the router, and eth1 on the agent.

  The script configures the data xfer interface with a private IP address (ne_ip) and netmask (ne_mask), since traffic across this interface never leaves the router.

After configuring the virtual interfaces, the script issues commands (virtual-service, vnic) to create the virtual-service named sln with two virtual interfaces reachable by the VirtualPortGroup 1 and VirtualPortGroup 2 interfaces on the router.

The script then issues an install command to install the agent .ova into the virtual service, then an activate command to activate the virtual service.

Finally, the script issues the connect command to log into the virtual service console to configure the following:

• the agent hostname (dla_hostname) and default gateway (dla_ctl_gw)

• the eth0 interface with a routable IP address (dla_ctl_ip) and netmask (dla_ctl_mask). The controller must be able to reach this address.

• the eth1 interface with a private IP address (dla_dat_ip) and netmask (dla_dat_mask

Learning Network License NetFlow Configuration

The install script also issues commands to configure Flexible NetFlow (Version 9), as required for Learning Network License. The following diagram illustrates this configuration.

Figure 5. NetFlow Operation on the ISR

The script creates the following:

• SLN-NF-RECORD - a NetFlow flow record which defines key fields to match traffic, and non-key fields to collect

• SLN-NF-EXPORTER - a NetFlow flow exporter that references the agent dla_ctl_ip IP address to send NetFlow data to the agent

• SLN-NF-MONITOR - a NetFlow flow monitor that references SLN-NF-RECORD to monitor input and output traffic coming over configured branch interfaces, and forwards it to SLN-NF-EXPORTER

The script also issues an interface command for each branch interface (branch-if1-names...) that you configure in the properties file. These branch interfaces are the router interfaces used to reach branch hosts.

Agent Addition to the Controller

The script adds each agent to the controller, if not already added, using the RESTful API. The script logs into the controller using the configured credentials (sca_webui_login: username, sca_webui_login: password). The script uses the agent hostname (dla_hostname) or the IP address (dla_ctl_host_sca) if the agent hostname is not resolvable in DNS.

Each agent is added to the controller as Disabled. You must log into the controller web UI to enable the agent. If you register your deployment with Smart Licensing, enabling the agent also consumes a license entitlement.

Agent Properties File Overview

The agent install and upgrade properties file (install.yaml), located on the controller, is in YAML format, and stores settings as key-value pairs. The install script uses these settings to deploy 1 or more agents. The controller contains an install.yaml.example file, which contains the basic YAML format and sample settings. You can rename this file to install.yaml and update the settings for your deployment.

The file stores global settings, which apply to all agent deployments. The file also stores per-branch settings, each set of which are applied to a specific ISR and agent. Per-branch settings override global settings. If you define a setting both as global and as per-branch for certain branches, the install script selects the per-branch setting when defined, and the global setting when the per-branch setting is not defined.

You define usernames and passwords in the properties file, which the install script uses to access ISRs, the controller, and agents. If you comment out a password property by placing a pound sign (#) at the beginning of that line, the script prompts you for that password while running. However, if you comment out the dla_password or ne_password property as a global setting, the script prompts you for the first agent where the property is not defined. It then uses the password you enter for every agent which does not have the property defined.

Note	Usernames and passwords added to the properties file remain in the file after you finish deploying the agents. If this is a security concern, remove them after the deployment completes.

Agent Properties File Settings

Global Property Settings

The following are the global property settings. You can define any of these per-branch, except for the sca_webui_login settings. If you define dla_ova_copy: src_host, dla_ova_copy: src_username, or dla_ova_copy: src_password per-branch, you must also define each setting globally. Note that the per-branch setting overrides the global setting.

When you run the script, it prompts you for any password you do not define.

Note	The syntax below is presented as an example. Do not copy and paste this into the property file. Improper formatting and spacing in the property file will cause the script to fail.

dla_ova_copy:
    src_host: <source-host-ip>
    src_username: <source-host-user>
    src_password: <source-host-password>
    src_ova_path: <source-host-ova-filepath>
    dst_store: <dest-store-location>
vir_portgroup_1:
    ip_unnum: <parent-interface>
    vrf_forwarding: <parent-interface-vrf>
vir_portgroup_2:
    ne_ip: <private-ip-1>
    ne_mask: <private-ip-1-mask>
    dla_dat_ip: <private-ip-2>
    dla_dat_mask: <private-ip-2-mask> 
ne_username: <ne-user>
ne_password: <ne-password>
ne_port: <tcp-port>
dla_password: <dla-password>
dla_ne_login: 
    username: <dla-ne-user>
    password: <dla-ne-password>
sca_webui_login:
    username: <sca-user>
    password: <sca-password>

Table 11 dla_ova_copy Properties

Property	Description	Validation	Required?
dla_ova_copy	group of properties used to copy the agent OVA from a source host that is capable of SCP file copying, such as the controller, to the ISR	n/a	n/a
src_host	IP address of the host containing the agent OVA, from which the script will copy the file	IPv4 address or DNS name	yes
src_username	username the script uses to log into the Linux console of the host containing the agent OVA	string	yes
src_password	password for src_username	string, cannot be NULL	yes
src_ova_path	filepath on the source host where the agent OVA is located, such as /home/sln/agent.ova, in quotation marks	string, must contain filepath and filename	yes
dst_store	bootflash to upload the agent OVA to the ISR's flash memory, or harddisk to upload the agent OVA to the ISR's hard drive	bootflash or harddisk Specify bootflash only if your ISR does not have a hard drive installed. If your ISR has a hard drive, and you specify bootflash, the script ignores the setting and uploads to the hard drive.	yes

Table 12 vir_portgroup_1 Properties

Property	Description	Validation	Required?
vir_portgroup_1	group of properties used to create the VirtualPortGroup 1 virtual interface	n/a	n/a
ip_unnum	name of an interface on your ISR through which the controller can reach the agent. The script uses this to configure the Network Element side of the ctl/mgmt interface.	string	yes
vrf_forwarding	name of the non-default VRF instance on your ISR that the ip_unnum interface belongs to. If you added the interface to a non-default VRF instance, you must configure this so the script can properly copy the OVA file to the router.	string	no, see Configuring VRF Forwarding on the ISR for more information

Table 13 vir_portgroup_2 Properties

Property	Description	Validation	Required?
vir_portgroup_2	group of properties used to create the VirtualPortGroup 2 virtual interface	n/a	n/a
ne_ip	Network Element IP address on the virtual-service Data Transfer interface. The script uses this to configure the Network Element side of the Data Transfer interface. Because traffic over this interface does not leave the router, specify a private IP address.	IPv4 address	yes
ne_mask	The netmask for ne_ip	subnet mask	no
dla_dat_ip	Agent IP address on the virtual-service Data Transfer interface. The script uses this to configure the agent side of the Data Transfer interface. Because traffic over this interface does not leave the router, specify a private IP address.	IPv4 address	yes
dla_dat_mask	the netmask for dla_dat_ip	subnet mask	no

Table 14 ne_username Property

Property	Description	Validation	Required?
ne_username	a username with a privilege level of 15 that the install script uses to log into the ISR, to execute CLI commands	string	yes

Table 15 ne_password Property

Property	Description	Validation	Required?
ne_password	the password for ne_username	string, cannot be NULL	no, the script prompts you if not defined If you do not define the ne_password property as a global property, the script prompts you the first time it attempts to deploy an agent where the configured branch properties also do not contain ne_password. However, the script reuses that password for every remaining agent deployment for which ne_password is not defined.

Table 16 ne_port Property

Property	Description	Validation	Required?
ne_port	the TCP port the upgrade script uses when connecting via SSH to the ISR. If undefined, this defaults to 22.	integer	no

Table 17 dla_password Property

Property	Description	Validation	Required?
dla_password	password configured for the agent admin account when the script deploys the agent, to replace the default admin password	string, cannot be NULL, must be a minimum of 6 characters	no, the script prompts you if commented out If you do not define the dla_password property as a global property, the script prompts you the first time it attempts to deploy an agent where the configured branch properties also do not contain dla_password. However, the script reuses that password for every remaining agent deployment for which dla_password is not defined.

Table 18 dla_ne_login Properties

Property	Description	Validation	Required?
dla_ne_login	group of properties used to define agent credentials to log into the Network Element	n/a	n/a
username	username the agent uses to log into the ISR to learn about interfaces and install mitigations.	string	yes
password	password for the agent username	string, cannot be NULL	no, the script prompts you if commented out

Table 19 sca_webui_login Properties

Property	Description	Validation	Required?
sca_webui_login	group of properties used to define install script credentials to log into the controller web UI	n/a	n/a
username	username the script uses to log into the controller web UI to add agents to the controller, and configure agent attributes.	string	yes
password	password to log into the controller.	string, cannot be NULL	no, the script prompts you if commented out

Branch-Specific Property Settings

The following are the branch-specific property settings. For each new set of branch settings, you must preface them with a dash (-).

Note	The syntax below is presented as an example. Do not copy and paste this into the property file. Improper formatting and spacing in the property file will cause the script to fail.

branches:
    -
     ne_ctl_ip: <parent-interface-ip>
     dla_ctl_ip: <control-ip>
     dla_ctl_mask: <control-ip-mask>
     dla_ctl_gw: <control-ip-gateway>
     dla_hostname: <dla-hostname>
     dla_description: <dla-description>
     ne_netflow_interfaces:
        ifnames: ['<branch-interface-1>','<branch-interface-2>','branch-interface-N>'......]
     dla_ctl_host_sca: <dla-ip-for-sca>

The dla_description and ne_ctl_ip properties can only be updated through the install script on initial agent installation. If you want to update the agent description after installation, modify it in the controller web UI. See the Cisco Stealthwatch Learning Network License Configuration Guide for more information.

Table 20 branches Properties

Property	Description	Validation	Required?
branches	group of settings used to configure a specific agent on a branch Network Element	n/a	n/a
ne_ctl_ip	IP address for the physical interface defined for vir_portgroup_1: ip_unnum that the script uses to connect to the network element, and to add an agent to the controller	IPv4 address	yes You can only modify this on initial agent installation.
dla_ctl_ip	a routable IP address for the agent on the control interface that the ne_ctl_ip can reach, so the controller can reach the agent	IPv4 address	yes
dla_ctl_mask	mask for dla_ctl_ip	subnet mask	yes
dla_ctl_gw	default gateway the agent uses for non-local destinations, generally the same IP address as ne_ctl_ip	IPv4 address	yes
dla_hostname	agent hostname, used by the script to generate unique names for per-branch log files, used by the controller to connect to the dla_ctl_ip, and used by the controller web UI as the agent's unique name	string	yes
dla_description	agent description	string, up to 256 characters, surrounded by double quotation marks (")	no if undefined, the script populates the description with the dla_hostname value, or the dla_ctl_host_sca IP address if you defined it You can only modify this on initial agent installation.
ne_netflow_interfaces: ifnames	a list of ISR branch-facing interfaces on which the script configures Flexible NetFlow for Learning Network License	a comma-delimited array, surrounded by brackets ([]), with each interface name surrounded by single quotes (')	yes
dla_ctl_host_sca	agent IP address used by the controller to reach the agent if the agent hostname is not resolvable in DNS, or if the agent control IP address is behind a NAT or PAT. If you do not define this, the script adds the agent to the controller using the dla_hostname value.	IPv4 address	no

Configuring VRF Forwarding on the ISR

In the install.yaml properties file, if you added the vir_portgroup_1: ip_unnum interface to a non-default VPN routing and forwarding (VRF) instance on your ISR, you must define the vir_portgroup_1: vrf_forwarding property in the file. This allows the script to properly copy the .ova file to the router using SCP.

On the ISR, you must also configure the vir_portgroup_1: ip_unnum interface as the source address for an SSH client device, so the script can properly copy the .ova file.

Before You Begin

• Define vrf_forwarding in the install.yaml properties file. See Agent Properties File Settings for more information.

• Log into the ISR console.

Procedure

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enable privileged EXEC mode.
Step 2	config t Example: Router# config t	Enter global configuration mode.
Step 3	ip ssh source-interface <ip_unnum> Example: Router(config)# ip ssh source-interface GigabitEthernet0/0/0	Specify the ip_unnum interface as the source for an SSH client device.
Step 4	exit Example: Router(config)# exit	Exit global configuration mode and return to privileged EXEC mode.

Updating the Agent Properties File

Before You Begin

• Log into the controller VM console with the username sln.

Procedure

	Command or Action	Purpose
Step 1	cd /opt/cisco/sln/install_upgrade/container Example: user@host:~$ cd /opt/cisco/sln/install_upgrade/container	Navigate to the /container directory.
Step 2	cp install.yaml.example install.yaml Example: user@host:/opt/cisco/sln/install_upgrade/container$ cp install.yaml.example install.yaml	Copy the install.yaml.example file to install.yaml.
Step 3	vi install.yaml, then enter your password when prompted. Example: user@host:/opt/cisco/sln/install_upgrade/container$ vi install.yaml	Open the install.yaml install and upgrade properties file in the vi text editor.
Step 4	Using Agent Properties File Settings as a guide, update the properties file with the necessary settings.	Update the properties file with the necessary settings.
Step 5	Press Esc, then enter :wq! and press Enter.	Save your changes and close the file.

What to Do Next

• Run the install script, as described in Install Script Operation.

Install Script Operation

The install script (installation_auto.py) deploys agents as virtual services based on settings in the agent install and upgrade properties file (install.yaml). You configure the properties file and run the install script from the controller, which contains both by default.

Based on the properties file settings and the script options you select, the script attempts to deploy agents in batches, copying the .ova file to the ISR, then deploying it.

Note	The script copies the .ova file to the ISR based on the properties file settings. However, if you copy the .ova file to the ISR, and configure the properties file setting to upload the .ova to the same filepath, the script deploys the agent using the .ova file already on the ISR.

As the script runs, it displays progress updates on the console every 10 seconds. These updates display the total number of agents to deploy, the number in progress, and the number that succeeded and failed.

If you commented out password properties in the install.yaml properties file, the script prompts you during the progress updates. For agent passwords, if you did not define a global password, the first time the script deploys an agent without a password defined, it prompts you for the password, then uses this password for all remaining agents without a password defined. The script also logs its progress to several log files.

You can exit the script at any time by pressing Ctrl-C.

Install Script Options

Append the following options to the command line when running the script for the following functionality:

Table 21 Install Script Options

Option	Description
-b <integer>	Configure the script to deploy this number of agents in a batch at one time. The script defaults to deploying 50 agents in a batch. If you notice failed deployments when running the script, try lowering the batch size.
-c install.yaml	Reference the install.yaml properties file.
--clean_only	Removes all Learning Network License configuration and the virtual service from the ISR. If you want to upgrade your agents to the same version, run the script using --clean_only first, then run the script without --clean_only.
-f	Copies the .ova file specified in the properties file to the destination filepath on the ISR, even if an .ova file with the same name is present at that destination filepath.
-i	Deploy all agents configured in the properties file, even if they have been previously installed successfully. If you do not define this option, the script only deploys agents that previously failed to deploy properly.
-h	Show help for options.
-v	Perform local validation of the referenced properties file.
-V	Perform validation of the referenced properties file, including connecting to the network element and validating interface names.

Run a basic installation from the controller command line with the following command:

installation_auto.py -c install.yaml

Running the Install Script

Before You Begin

• Log into the controller VM console.

Procedure

	Command or Action	Purpose
Step 1	cd /opt/cisco/sln/install_upgrade/container Example: user@host:~$ cd /opt/cisco/sln/install_upgrade/container	Navigate to the /container directory.
Step 2	installation_auto.py -c install.yaml, then enter your password when prompted Example: user@host:/opt/cisco/sln/install_upgrade/container$ installation_auto.py -c install.yaml	Run the installation_auto.py install script.
Step 3	If you did not update install.yaml with passwords, enter those when prompted.	Provide passwords when prompted.

Verifying NTP Configuration on the Agent

Before You Begin

• Log into the agent virtual service console.

Procedure

	Command or Action	Purpose
Step 1	ntpq –n –p Example:user@host:~$ ntpq –n –p	Display configured NTP servers. If the system does not display configured NTP servers, repeat NTP configuration in Configuring NTP on the ISR.

Smart Licensing Overview

To deploy the Learning Network License, you must register your controller with Cisco Smart Licensing. If you do not, your deployment enters Evaluation Mode, a 90-day trial which limits you to a maximum of 10 managed agents, and disables new functionality when the 90 days expire.

Cisco Smart Licensing lets you purchase and manage a pool of licenses centrally. Unlike product authorization key (PAK) licenses, Smart Licenses are not tied to a specific serial number or license key. Smart Licensing lets you assess your license usage and needs at a glance.

In addition, Smart Licensing does not prevent you from deploying agents. You can deploy an agent and purchase the license later. This allows you to deploy and use an agent, and avoid delays due to purchase order approval.

Logging into the Controller Web UI

When you installed the controller, you defined an IP address for the controller web UI, and reset the administrator user account (admin) password. Log in with the temporary password printed to the controller VM console. After you log in once, you must change the password and confirm the new password.

Procedure

In your web browser, navigate to https://controller-web-ip-address, then enter your controller web username and password when prompted.

Registering the Controller Instance

Before You Begin

• Obtain a registration token from the Smart Software Manager (http:/​/​www.cisco.com/​web/​ordering/​smart-software-manager/​index.html).

• Log into the controller web UI.

Procedure

---

Step 1	Select Dashboard.
Step 2	Click Smart Licensing.
Step 3	Click Register.
Step 4	Paste your registration token into the Smart Software Licensing Product Registration field.
Step 5	If you want to use a registration token and the current token is still valid, check Reregister this product instance if it is already registered.
Step 6	Click Register.

---

Restarting the Controller Processes

Procedure

	Command or Action	Purpose
Step 1	cd ~/SCA Example:user@host:~$ cd ~/SCA	Change to the /SCA directory.
Step 2	sudo service ciscosln-sca restart Example:user@host:~/SCA$ sudo service ciscosln-sca restart	Restart the controller processes.

Enabling Agents on the Controller

If you do not register your controller with Smart Licensing before you enable agents, your deployment is in Evaluation Mode, and you are limited to managing 10 agents with your controller for 90 days.

When you register your controller with Smart Licensing and enable the agents, ensure you have enough license entitlements.

Before You Begin

• Log into the controller web UI.

Procedure

---

Step 1	Select AGENTS.
Step 2	For each managed agent, click Enable, then click Continue to enable the agent.

---

Interface Configuration

When you configure a Network Element's interface, select a traffic direction, whether you want to enable mitigations on the interface, and whether you want to enable packet buffer capture (PBC) or deep packet inspection (DPI).

Note	Subinterface configuration of PBC/DPI is not supported on 4000 Series ISRs.

The Direction you select for an interface determines how the agent tracks traffic origin from within or outside the branch, populates clusters, and models traffic to identify anomalies. Label each interface based on the following guidelines:

• An Internal interface faces the branch and branch hosts. The system applies Learning Network License-related NetFlow on this interface.

• An External interface faces the core. This interface passes traffic outside the branch, including other branches, headquarters, or the Internet.

• An Unconfigured interface does not qualify as either Internal or External. It is unused, or there is a reason you do not want to monitor the traffic over this interface.

An agent monitors traffic, and creates clusters of hosts with similar characteristics. The agent clusters external hosts, those residing on External interfaces, separately from internal hosts, those residing on Internal interfaces. Traffic between clusters is monitored for anomaly detection.

The agent monitors traffic to or from branch hosts. All traffic to or from an Internal interface, which represents the branch host traffic, is modeled for anomaly detection purposes. Traffic that does not involve an Internal interface is not modeled. See the following table for more information.

Table 22 Interface Direction and Modeled Traffic

	...to an Internal interface...	...to an External interface...	...to an Unconfigured interface...
Traffic from an Internal interface...	...is modeled and inspected for anomalous traffic.	...is modeled and inspected for anomalous traffic.	...is modeled and inspected for anomalous traffic.
Traffic from an External interface...	...is modeled and inspected for anomalous traffic.	...is not modeled and inspected for anomalous traffic.	...is not modeled and inspected for anomalous traffic.
Traffic from an Unconfigured interface...	...is modeled and inspected for anomalous traffic.	...is not modeled and inspected for anomalous traffic.	...is not modeled and inspected for anomalous traffic.

You can enable mitigation on Ethernet interfaces and most tunnel interfaces. The system does not support enabling mitigation on tunnel interfaces with multipoint GRE (mGRE) enabled.

Cisco recommends you enable mitigation on all enabled and supported interfaces, regardless of traffic direction. This provides maximum protection if the agent detects an anomaly, and you want to install a QoS policy on the Network Element to prevent the anomaly from being forwarded. If you configure a mitigation tailored to this anomalous traffic, the system installs the corresponding QoS policy on all Network Element interfaces on which you enabled mitigation.

Note	By default, the system checks the Enable Mitigation checkbox for all Ethernet and non-mGRE tunnel interfaces.

If your router interface has subinterfaces, and already has a quality of service (QoS) policy installed at the parent interface level, you can only enable mitigation policies at the parent level for that interface family. Similarly, if the subinterfaces have a QoS policy installed, you can only enable mitigation policies at the subinterface level for that interface family. If you enable a mitigation on a subinterface, the system automatically enables the mitigation on all sibling subinterfaces.

If the interface family does not have a QoS policy installed, you can install a mitigation at the parent interface or subinterface level. Once you configure a mitigation for a parent interface or a subinterface, however, you can only subsequently create mitigations at that level for the interface family.

You can enable PBC or DPI on any interface with the word Ethernet in its name, with the following exceptions:

• You can only enable PBC or DPI on a G2 ISR interface if you did not configure it to export IP traffic (ip traffic-export). If you configured IP traffic export on the interface, remove the configuration from the interface before enabling PBC and DPI.

• You can only enable PBC or DPI on a 4000 Series ISR parent interface.

This allows you to capture and download PCAP files, or capture DNS query information from traffic.

Note	On a G2 ISR, if you enable PBC or DPI on a parent interface, the system also enables it for all sub-interfaces. Similarly, if you enable PBC or DPI on a G2 ISR sub-interface, the system also enables it for the parent interface and all sibling subinterfaces.

Configuring Agent Network Settings

You can update an agent's network settings, including the host router's IP address and directionality of the router's interfaces.

Before You Begin

• See Interface Configuration for information on configuring your agents.

Procedure

---

Step 1	Select AGENTS.
Step 2	Click Configure next to an agent.
Step 3	Enter the VirtualPortGroup1 virtual service eth0 IPv4 address in the Network Element IP field.
Step 4	Click the expand icon () next to an interface to view the router interface configuration.
Step 5	For an interface, choose from the drop-down: Internal if the interface faces the branch (generally, if NetFlow is configured on the interface) External if the interface faces the core (generally, if the interface is passing traffic) Unconfigured if you interface is unused, or the interface faces neither the branch nor the core
Step 6	Check Enable mitigation to apply mitigation actions to this interface.
Step 7	If you want to capture raw packet data and send it from the network element to the agent, take the following steps: Check Enable PBC/DPI on one or more interfaces to enable raw packet capture. Select a network element interface from the Raw Packet Tx Interface (on NE) drop-down on which the network element passes raw packets to the agent Select a agent interface from the Raw Packet Rx Interface (on Agent) drop-down on which the agent receives raw packets from the network element.
Step 8	If you want to enable the packet buffer capture (PBC) feature, check Enable PBC. You must enable capturing raw packet data.
Step 9	If you want to capture DNS query information, check Enable DPI/DPS. You must enable capturing raw packet data.
Step 10	Click Submit.
Step 11	Click Submit.
Step 12	If you want to create a template to apply this configuration to other agents, click Create template.

---

What to Do Next

• Allow the system time to perform the initial learning phase, as described in Initial Learning Phase Overview.

Initial Learning Phase Overview

After you manage your agents with the controller, allow the system to run for seven days, inspect your network traffic, and build a baseline traffic model.

The Learning Network License system identifies anomalies by comparing detected traffic to the baseline model, and noting deviations. After system deployment, each agent inspects traffic traversing the router. During this initial learning phase, the agent builds a baseline traffic model. The model includes dynamically-generated clusters of hosts, and what types of application traffic are transmitted between clusters at what times of day.

If you log into the controller web UI while the system is learning about your network, you may see very few or no reported anomalies, as the system cannot compare against a baseline yet. Towards the end of the initial learning phase, the system may start reporting anomalies, but without a complete baseline, these anomalies may not be relevant. After the initial learning phase, when each agent completes its baseline model, the system can properly identify anomalous traffic that deviates from the baseline.

For more information, see the Cisco Stealthwatch Learning Network License Configuration Guide.

Next Steps

After you deploy the Learning Network License system, you can perform the following:

• Configure audit and event logging. See the Cisco Stealthwatch Learning Network License Virtual Service Installation Guide for more information.

• Integrate with an Identity Services Engine (ISE) server by configuring pxGrid integration. See the Cisco Stealthwatch Learning Network License Virtual Service Installation Guide for more information.

• Log into the controller web UI to configure user display settings, view anomalies and assign relevance feedback, configure mitigations for an anomaly, and configure external system integration. See the Cisco Stealthwatch Learning Network License Configuration Guide for more information.

For Assistance

Thank you for using Cisco products.

For information on obtaining documentation, using the Cisco Bug Search Tool (BST), submitting a service request, and gathering additional information about the Firepower System, see What’s New in Cisco Product Documentation at http:/​/​www.cisco.com/​c/​en/​us/​td/​docs/​general/​whatsnew/​whatsnew.html.

Subscribe to What’s New in Cisco Product Documentation, which lists all new and revised Cisco technical documentation, as an RSS feed and deliver content directly to your desktop using a reader application. The RSS feeds are a free service.

If you have any questions or require assistance with the Cisco Stealthwatch Learning Network License system, please contact Cisco Support:

• Visit the Cisco Support site at http:/​/​support.cisco.com.

• Email Cisco Support at tac@cisco.com.

• Call Cisco Support at 1.408.526.7209 or 1.800.553.2447.

Copyright © 2016, Cisco Systems, Inc. All rights reserved.