For more information, refer to 3b. Installing a Virtual Appliance on an ESXi StandAlone Server (ISO).

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 26 –

Resource Requirements

Manager Virtual Edition
To determine the minimum resource allocations for the Manager Virtual Edition, determine the number of concurrent users expected to log in to the Manager. Refer to the following specifications to determine your resource allocations:
Manager

Concurrent Users*

Required Reserved CPUs

up to 9

6

over 10

12

Required Reserved Memory
40 GB
70 GB

Required Minimum Storage
200 GB
480 GB

Flows per Internal

second

Hosts

Up to 100,000
Over 100,000

100,000 250,000

*Concurrent users include scheduled reports and people using the Manager client at the same time.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 27 –

Resource Requirements

Flow Collector Virtual Edition
To determine your resource requirements for the Flow Collector Virtual Edition, make sure you calculate the flows per second expected on the network and the number of exporters and hosts it is expected to monitor. Refer to the Calculating Flows Per Second section for details.
Also, the minimum storage space may increase based on your FPS calculation and your retention requirements.
Because the Data Nodes within a Data Store will store flows instead of the Flow Collectors, make sure you refer to the specifications for your planned deployment (without Data Store or with Data Store).
Flow Collector without Data Store

Flows per second

Required Reserved CPUs

Required Reserved Memory

Required Minimum Data Storage for 30 Days

Interfaces

Exporters

Internal Hosts

Up to 10,000

2

24 GB

600 GB

Up to 65535

Up to 1024 25,000

Up to 30,000

6

32 GB

900 GB

Up to 65535

Up to 1024 100,000

Up to 60,000

8

64 GB

1.8 TB

Up to 65535

Up to 2048 250,000

Up to 120,000

12

128 GB

3.6 TB

Up to 65535

Up to 4096

over 250,000

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 28 –

Resource Requirements

Flow Collector with Data Store

Flows per second

Required Reserved CPUs

Required Reserved Memory

Required Minimum Storage

Interfaces

Exporters

Internal Hosts

Up to 10,000

2

24 GB

200 GB

Up to 65535

Up to 1024 25,000

Up to 30,000

6

32 GB

200 GB

Up to 65535

Up to 1024 50,000

Up to 60,000

8

64 GB

200 GB

Up to 65535

Up to 2048 100,000

Up to 120,000

12

128 GB

200 GB

Up to 65535

Up to 4096 250,000

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 29 –

Resource Requirements

Data Node Virtual Edition
Review the following information to calculate resource requirements for the Data Node Virtual Edition.
l Calculate Flows Per Second: Determine the flows per second expected on the network. Refer to the Calculating Flows Per Second section for details.
l Number of Data Nodes: You can deploy 1 Data Node or 3 or more Data Nodes (in sets of 3). For details, refer to Appliance Requirements (with Data Store).
Based on your Flows Per Second calculations, refer to the following specifications to determine your resource requirements:
Data Store with a Single Virtual Data Node

Flows per second

Required Reserved CPUs

Up to 30,000 6

Up to 60,000 6

Up to 120,000

12

Up to 225,000

18

Required Reserved Memory 32 GB 32 GB
32 GB
64 GB

Required Minimum Storage for Single Data Node for 30 Days of Retention 2.25 TB 4.5 TB
9 TB
18 TB

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 30 –

Resource Requirements

Data Store with 3 Virtual Data Nodes

Flows per second

Required Reserved CPUs

Required Reserved Memory

Required Minimum Storage for each Data Node for 30 Days of Retention

Required Minimum Storage for 3 Data Node Data Store for 30 Days of Retention

Up to 30,000

6

32 GB

1.5 TB per Data Node

4.5 TB total for Data Store

Up to 60,000

6

32 GB

3 TB per Data Node 9 TB total for Data Store

Up to 120,000

12

32 GB

6 TB per Data Node

18 TB total for Data Store

Up to 220,000

18

64 GB

10 TB per Data Node*

30 TB total for Data Store*

Up to 500,000

18

64 GB

15 TB per Data Node*

45 TB total for Data Store*

• At scale Data Store optimizations are applied to reduce linear growth of telemetry

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 31 –

Resource Requirements

Flow Sensor Virtual Edition
This section describes the Flow Sensor Virtual Edition.
l Cache: The Flow Cache Size column indicates the maximum number of active flows that the Flow Sensor can process at the same time. The cache adjusts with the amount of reserved memory, and flows are flushed every 60 seconds. Use the Flow Cache Size to calculate the amount of memory needed for the amount of traffic being monitored.
l Requirements: Your environment may require more resources depending on a number of variables, such as average packet size, burst rate, and other network and host conditions.

NICs monitoring ports

Required Reserved CPUs

Required Minimum Reserved Memory

Required Minimum Data Storage

1 x 1 Gbps 2

4 GB

75 GB

Estimated Throughput

Flow Cache
Size (maximum number of concurrent flows)

850 Mbps

32,766

1,850 Mbps

2 x 1 Gbps 4

8 GB

75 GB

Interfaces configured as PCI passthrough (igb/ixgbe compliant or e1000e compliant)

65,537

3,700 Mbps

4 x 1 Gbps 8

16 GB

75 GB

Interfaces configured as PCI passthrough

131,073

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 32 –

Resource Requirements

NICs monitoring ports

Required Reserved CPUs

Required Minimum Reserved Memory

Required Minimum Data Storage

Estimated Throughput

Flow Cache
Size (maximum number of concurrent flows)

(igb/ixgbe compliant or e1000e compliant)

8 Gbps

1 x 10 Gbps* 12

24 GB

75 GB

Interfaces configured as PCI passthrough (Intel ixgbe/i40e compliant)

~512,000

16 Gbps

2 x 10 Gbps* 22

40 GB

75 GB

Interfaces configured as PCI passthrough (Intel ixgbe/i40e compliant)

~1,000,000

*For 10 Gbps throughput, configure all CPUs in 1 socket. For each additional 10 Gbps NIC, add 10 vCPUs and 16 GB of RAM.
Optional: One or more 10G NICs may be used on the physical VM host.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 33 –

Resource Requirements

Flow Sensor Virtual Edition Network Environments
Before installing the Flow Sensor Virtual Edition, make sure you know the type of network environment you have. This guide covers all types of network environments that a Flow Sensor Virtual Edition can monitor.
Compatibility: Secure Network Analytics supports a VDS environment, but it does not support VMware Distributed Resource Scheduler (VM-DRS).
Virtual Network Environments: The Flow Sensor Virtual Edition monitors the following types of virtual network environments:
l A network with virtual local area network (VLAN) trunking l Discrete VLANs where one or more VLANs are prohibited from attaching packet
monitoring devices (for example, due to local policy) l Private VLANs l Hypervisor hosts rather than VLANs
Flow Sensor Virtual Edition Traffic
The Flow Sensor will process traffic with the following Ethertypes:

Ethertype 0x8000 0x86dd 0x8909 0x8100 0x88a8 0x9100 0x9200 0x9300 0x8847 0x8848

Protocol Normal IPv4 Normal IPv6 SXP VLAN
VLAN QnQ
MLPS unicast MLPS multicast

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 34 –

Resource Requirements

The Flow Sensor saves the top-level MPLS label or VLAN ID and exports it. It bypasses the other labels when it is processing packets.
UDP Director Virtual Edition
The UDP Director Virtual Edition requires that the virtual machine meets the following specifications. Also, the minimum storage space may increase based on your FPS calculation and your retention requirements.

Required Reserved CPU

Required Reserved Memory

Minimum Data Storage

Maximum FPS Rate

2

4 GB

75 GB

10,000

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 35 –

Resource Requirements
Calculating Flows Per Second (Optional)
If you want to calculate your resource requirements based on a different storage amount than we have provided in the previous sections, you can use the Flows per Second (FPS) calculations shown here.
Calculating Flows Per Second for Flow Collector Storage (Deployments without Data Store)
If you deploy a Flow Collector (NetFlow) without a Data Store, calculate the storage allocation as follows: [(daily average FPS/1,000) x 1.6 x days] l Determine your daily average FPS l Divide this number by 1,000 FPS l Multiply this number by 1.6 GB of storage for one day’s worth of storage l Multiply this number by the number of days you want to store the flows for total
storage on the Flow Collector
For example, if your system:
l has 50,000 daily average FPS l will store flows for 30 days, calculate per Flow Collector as follows:
[(50,000/1,000) x 1.6 x 30] = 7200 GB (7.2 TB)
l daily average FPS = 50,000 l 50,000 daily average FPS / 1,000= 50 l 50 x 1.6 GB = 80 GB for one day’s worth of storage l 80 GB x 30 days per Flow Collector = 7200 GB per Flow Collector
Calculating Flows Per Second for Data Node Storage
If you deploy a Data Store Virtual Edition with 3 Data Nodes Virtual Edition, we recommend that for each Data Node, calculate the storage allocation as follows:
[[(daily average FPS/1,000) x 1.6 x days] / number of Data Nodes
l Determine your daily average FPS l Divide this number by 1,000 FPS l Multiply this number by 1.6 GB of storage for one day’s worth of storage

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 36 –

Resource Requirements
l Multiply this number by the number of days you want to store the flows for total Data Store storage
l Divide this number by the number of Data Nodes in your Data Store for storage per Data Node
For example, if your system: l has 50,000 daily average FPS l will store flows for 90 days, and l you have 3 Data Nodes
calculate per Data Node as follows: [(50,000/1,000) x 1.6 x 90] / 3 = 2400 GB (2.4 TB) per Data Node
l daily average FPS = 50,000 l 50,000 daily average FPS / 1,000 = 50 l 50 x 1.6 GB = 80 GB for one day’s worth of storage l 80 GB x 90 days per Data Store = 7200 GB per Data Store l 7200 GB / 3 Data Nodes = 2400 GB (2.4 TB) per Data Node

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 37 –

1. Configuring Your Firewall for Communications
1. Configuring Your Firewall for Communications
In order for the appliances to communicate properly, you should configure the network so that firewalls or access control lists do not block the required connections. Use the information provided in this section to configure your network so that the appliances can communicate through the network.
Open Ports (All Appliances)
Consult with your network administrator to ensure that the following ports are open and have unrestricted access on your appliances (Managers, Flow Collectors, Data Nodes, Flow Sensors, and UDP Directors):
l TCP 22 l TCP 25 l TCP 389 l TCP 443 l TCP 2393 l TCP 8910 l UDP 53 l UDP 123 l UDP 161 l UDP 162 l UDP 389 l UDP 514 l UDP 2055 l UDP 6343
Additional Open Ports for Data Nodes
In addition, if you deploy Data Nodes to your network, ensure that the following ports are open and have unrestricted access:
l TCP 5433 l TCP 5444 l TCP 9450

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 38 –

1. Configuring Your Firewall for Communications

Communication Ports and Protocols
The following table shows how the ports are used in Secure Network Analytics:

From (Client) Admin User PC All appliances

To (Server) All appliances Network time source

Active Directory Manager

Cisco ISE

Manager

Cisco ISE

Manager

External log sources

Manager

Flow Collector

Manager

UDP Director

Manager

UDP Director

Flow Collector (sFlow)

UDP Director

Flow Collector (NetFlow)

UDP Director

3rd Party event management systems

Flow Sensor

Manager

Flow Sensor

Flow Collector (NetFlow)

NetFlow Exporters Flow Collector (NetFlow)

sFlow Exporters Flow Collector (sFlow)

Manager

UDP Director

Manager

Cisco ISE

Port TCP/443 UDP/123 TCP/389, UDP/389 TCP/443 TCP/8910
UDP/514
TCP/443 TCP/443 UDP/6343 UDP/2055
UDP/514
TCP/443 UDP/2055 UDP/2055 UDP/6343 TCP/443 TCP/443

Protocol HTTPS NTP
LDAP
HTTPS XMPP
SYSLOG
HTTPS HTTPS sFlow NetFlow
SYSLOG
HTTPS NetFlow NetFlow sFlow HTTPS HTTPS

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 39 –

1. Configuring Your Firewall for Communications

From (Client) Manager Manager Manager Manager Manager Manager Manager Manager User PC

To (Server) Cisco ISE DNS Flow Collector Flow Sensor Flow Exporters LDAP CRL Distribution Points OCSP responders Manager

Port TCP/8910 UDP/53 TCP/443 TCP/443 UDP/161 TCP/636 TCP/80 TCP/80 TCP/443

Protocol XMPP DNS HTTPS HTTPS SNMP TLS HTTP OCSP HTTPS

*This is the default port, but any UDP port could be configured on the exporter.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 40 –

1. Configuring Your Firewall for Communications

Additional Open Ports for Data Store
The following lists the communication ports to open on your firewall to deploy the Data Store.

From (Client) To (Server)

Port

Protocol or Purpose

1 Manager

Flow Collectors and Data Nodes

22/TCP

SSH, required to initialize Data Store database

1 Data Nodes

all other Data Nodes

22/TCP

SSH, required to initialize Data Store database and for database administration tasks

Manager, Flow 2 Collectors, and NTP server
Data Nodes

123/UDP

NTP, required for time synchronization

2 NTP server

Manager, Flow Collectors, and Data Nodes

123/UDP

NTP, required for time synchronization

3 Manager

Flow Collectors and Data Nodes

443/TCP

HTTPS, required for secure communications between appliances

3 Flow Collectors Manager

443/TCP

HTTPS, required for secure communications between appliances

3 Data Nodes

Manager

443/TCP

HTTPS, required for secure communications between appliances

4

NetFlow Exporters

Flow Collectors – NetFlow

2055/UDP

NetFlow ingestion

5 Data Nodes

all other Data Nodes

4803/TCP

inter-Data Node messaging service

6 Data Node

all other Data

4803/UDP inter-Data Node messaging

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 41 –

1. Configuring Your Firewall for Communications

Nodes

service

7 Data Nodes

all other Data Nodes

4804/UDP

inter-Data Node messaging service

Manager, Flow 8 Collectors, and Data Nodes
Data Nodes

5433/TCP Vertica client connections

9 Data Node

all other Data Node

5433/UDP

Vertica messaging service monitoring

10

sFlow Exporters

Flow Collector (sFlow)

11 Data Nodes

all other Data Nodes

6343/UDP sFlow ingestion

6543/UDP

inter-Data Node messaging service

Optional Communication Ports
The following table is for optional configurations determined by your network needs:

From (Client) To (Server)

Port

Protocol

All appliances User PC

TCP/22 SSH

Manager

3rd Party event management systems UDP/162 SNMP-trap

Manager

3rd Party event management systems UDP/514 SYSLOG

Manager

Email gateway

TCP/25 SMTP

Manager

Threat Feed

TCP/443 SSL

User PC

All appliances

TCP/22 SSH

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 42 –

1. Configuring Your Firewall for Communications
Secure Network Analytics Deployment Example
The following diagram shows the various connections used by Secure Network Analytics. Some of these ports are optional.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 43 –

1. Configuring Your Firewall for Communications
Secure Network Analytics Deployment with Data Store Example
As shown in the figure below, you can strategically deploy Secure Network Analytics appliances to provide optimal coverage of key network segments throughout the network, whether in the internal network, at the perimeter, or in the DMZ.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 44 –

2. Downloading Virtual Edition Installation Files

2. Downloading Virtual Edition Installation Files
Use the following instructions to download the ISO files for your virtual appliance installation.
Installation Files

Virtual Machine 3a. VMware vCenter

Appliance Installation File

Details

ISO

Installing your virtual appliances using VMware vCenter.

3b. VMware ESXi Stand-Alone Server

ISO

3c. KVM and Virtual Machine Manager

ISO

Installing your virtual appliances on an ESXi stand-alone host server.
Installing your virtual appliances using KVM and Virtual Machine Manager.

1. Log in to Cisco Software Central
1. Log in to Cisco Software Central at https://software.cisco.com. 2. In the Download and manage > Download and Upgrade section, select Access
downloads. 3. Scroll down until you see the Select a Product field. 4. You can access Secure Network Analytics files in two ways:

l Search by Name: Type Secure Network Analytics in the Select a Product field. Press Enter.
l Search by Menu: Click Browse All. Select Security > Network Visibility and Segmentation > Secure Analytics (Stealthwatch).

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 45 –

2. Downloading Virtual Edition Installation Files
2. Download Files
1. Select an appliance type. l Secure Network Analytics Virtual Manager l Secure Network Analytics Virtual Flow Collector l Secure Network Analytics Virtual Flow Sensor l Secure Network Analytics Virtual UDP Director l Secure Network Analytics Virtual Data Store
2. Select Secure Network Analytics System Software. 3. In the Latest Release column, select 7.4.2 (or the version of 7.4.x that you are
installing). 4. Download: Locate the ISO installation file. Click the Download icon or Add to Cart
icon. 5. Repeat these instructions to download the files for each appliance type.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 46 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Overview
Use the following instructions to install your virtual appliances using VMware vCenter. To use an alternative method, refer to the following:
l VMware ESXi Stand-Alone Server: Use 3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO).
l KVM: Use 3c. Installing a Virtual Appliance on a KVM Host (ISO).
Secure Network Analytics v7.4.2 is compatible with VMware 7.0 or 8.0. We do not support VMware 6.0, 6.5 ,or 6.7 with Secure Network Analytics v7.4.x. For more information, refer to VMware documentation for vSphere 6.0, 6.5 ,and 6.7 End of General Support.
Before You Begin
Before you begin the installation, complete the following preparation procedures:
1. Compatibility: Review the compatibility requirements in Compatibility. 2. Resource Requirements: Review the Resource Requirements section to
determine the required allocations for the appliance. You can use a resource pool or alternative method to allocate resources. 3. Firewall: Configure your firewall for communications. Refer to 1. Configuring Your Firewall for Communications. 4. Files: Download the appliance ISO files. Refer to 2. Downloading Virtual Edition Installation Files for instructions. 5. Time: Confirm the time set on the hypervisor host in your VMware environment (where you will be installing the virtual appliance) shows the correct time. Otherwise, the virtual appliances may not be able to boot up.
Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Secure Network Analytics appliances.
Do not install VMware Tools on a Secure Network Analytics virtual appliance because it will override the custom version already installed. Doing so would render the virtual appliance inoperable and require reinstallation.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 47 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Installing a Virtual Appliance Using vCenter (ISO)
If you have VMware vCenter (or similar), use the following instructions to install a virtual appliance using the ISO. If you are deploying Data Nodes or Flow Sensors, make sure you complete all required procedures.
Data Nodes
Complete the following procedures:
1. Configuring an Isolated LAN for inter-Data Node Communications. 3. Installing the Virtual Appliance. When you install the Data Node virtual appliance, you also need to install two network adapters.
Flow Sensors
Complete the following procedures:
2. Configuring the Flow Sensor to Monitor Traffic 3. Installing the Virtual Appliance 4. Defining Additional Monitoring Ports (Flow Sensors only)
All Other Appliances
If the appliance is not a Data Node or Flow Sensor, complete the following procedure:
3. Installing the Virtual Appliance
Some of the menus and graphics may vary from the information shown here. Please refer to your VMware guide for details related to the software.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 48 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
1. Configuring an Isolated LAN for inter-Data Node Communications
If you are deploying Data Nodes Virtual Edition to your network, configure an isolated LAN with a virtual switch so that the Data Nodes can communicate with each other over eth1 for inter-Data Node communication. There are two options for configuring switches:
l Configuring a vSphere Standard Switch
l Configuring a vSphere Distributed Switch
Configuring a vSphere Standard Switch
1. Log into your VMware host environment. 2. Follow the VMware Create a vSphere Standard Switch documentation for
configuring a vSphere Standard Switch. Note that in step 4, you will want to choose the Virtual Machine Port Group for a Standard Switch option. 3. Go to 3. Installing the Virtual Appliance.
Configuring a vSphere Distributed Switch
1. Log into your VMware host environment. 2. Follow the VMware Create a vSphere Distributed Switch documenation for
configuring a vSphere Distributed Switch. Note that for the number of uplinks in step 5a, there is a requirement of at least 1 uplink, however it is not necessary to configure an uplink unless you are distributing the nodes across multiple hosts. If you need to distribute nodes across multiple hosts, contact Cisco Support for assistance. 3. Go to 3. Installing the Virtual Appliance.
2. Configuring the Flow Sensor to Monitor Traffic
The Flow Sensor Virtual Edition has the ability to provide visibility into VMware environments, generating flow data for areas that are not flow-enabled. As a virtual appliance installed inside each hypervisor host, the Flow Sensor Virtual Edition passively captures Ethernet frames from the host vSwitch, and it observes and creates flow records containing valuable session statistics that pertain to conversational pairs, bit rates, and packet rates.
You will need to install a Flow Sensor on each host within the environment you want to monitor.
Use the following instructions to configure the Flow Sensor Virtual Edition to monitor traffic on a vSwitch as follows:

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 49 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
l Monitoring a vSwitch with Multiple Hosts l Monitoring a vSwitch with a Single Host
Monitoring External Traffic with PCI Pass-Through
You can also configure your Flow Sensor Virtual Edition for direct network monitoring using a compliant PCI pass-through.
l Requirements: igb/ixgbe compliant or e1000e compliant PCI pass-through. l Resource Information: Refer to Flow Sensor Virtual Edition. l Integration: Refer to 1. Configuring Your Firewall for Communications. l Instructions: To add PCI network interfaces to the Flow Sensor Virtual Edition, refer
to your VMware documentation.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 50 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Monitoring a vSwitch with Multiple Hosts
Use the instructions in this section to use the Flow Sensor Virtual Edition to monitor traffic on a Distributed vSwitch that spans multiple VM hosts or clusters. This section applies only to VDS networks. If your network is in a non-VDS environment, go to Monitoring a vSwitch with a Single Host.
Configuration Requirements
You will need to install a Flow Sensor on each host within the environment you want to monitor. This configuration has the following requirements: l Distributed Virtual Port (dvPort): Add a dvPort group with the correct VLAN settings for each VDS that the Flow Sensor Virtual Edition will monitor. If the Flow Sensor Virtual Edition monitors both VLAN and non-VLAN traffic on the network, you need to create two dvPort groups, one for each type. l VLAN Identifier: If your environment uses a VLAN (other than VLAN trunking or a private VLAN), you need the VLAN identifier to complete this procedure. l Promiscuous Mode: Enabled. l Promiscuous Port: Configured to the vSwitch. Complete the following steps to configure the network using a VDS: 1. Click the Networking icon.
2. In the Networking tree, right-click the VDS. 3. Select Distributed Port Group > New Distributed Port Group.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 51 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
4. Use the New Distributed Port Group dialog box to to configure the port group, including the specifications in the following steps.
5. Select Name and Location: In the Name field, enter a name to identify this dvPort group.
6. Configure Settings: In the Number of Ports field, enter the number of Flow Sensor Virtual Editions in your cluster of hosts.

7. Click the VLAN type drop-down list.
l If your environment doesn’t use a VLAN, select None. l If your environment uses a VLAN, select the VLAN type. Configure it as
follows:

VLAN

VLAN Type

Detail In the VLAN ID field, enter the number

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 52 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

VLAN Trunking Private VLAN

(between 1 and 4094) that matches the identifier.
In the VLAN trunk range field, enter 0-4094 to monitor all VLAN traffic.
Select Promiscuous from the dropdown list.

8. Ready to Complete: Review the configuration settings. Click Finish. 9. In the Networking tree, right-click the new dvPort group. Select Edit Settings. 10. Select Security. 11. Click the Promiscuous Mode drop-down list. Select Accept.

12. Click OK to close the dialog box. 13. Does the Flow Sensor Virtual Edition monitor both VLAN and non-VLAN network
traffic?
l If yes, repeat the steps in this section Monitoring a vSwitch with Multiple Hosts.
l If no, continue to the next step.
14. Is there another VDS in the VMware environment that the Flow Sensor Virtual Edition will monitor?
l If yes, repeat the steps in this section Monitoring a vSwitch with Multiple Hosts for the next VDS.
15. Go to 3. Installing the Virtual Appliance.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 53 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
Monitoring a vSwitch with a Single Host
Use the instructions in this section to use the Flow Sensor Virtual Edition to monitor traffic on a vSwitch with a single host.
This section applies only to non-VDS networks. If your network uses a VDS, go to Monitoring a vSwitch with Multiple Hosts.
Configuration Requirements
This configuration has the following requirements: l Promiscuous Port Group: Add a promiscuous port group for each virtual switch that the Flow Sensor Virtual Edition will be monitoring. l Promiscuous Mode: Enabled. l Promiscuous Port: Configured to the vSwitch.
Configure the Port Group to Promiscuous Mode
Use the following instructions to add a port group, or edit a port group, and set it to Promiscuous.
1. Log in to your VMware ESXi host environment. 2. Click Networking.

3. Select the Port groups tab. 4. You can create a new port group or edit a port group.
© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 54 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

l Create Port Group: Click Add port group. l Edit Port Group: Select the port group. Click Edit Settings.
5. Use the dialog box to configure the port group. Configure the VLAN ID or VLAN Trunking:

VLAN Type VLAN ID VLAN Trunking

Detail
Use VLAN ID to specify a single VLAN. In the VLAN ID field, enter the number (between 1 and 4094) that matches the identifier.
Use VLAN Trunking to monitor all VLAN traffic. The range defaults to 0-4095.

6. Click the Security arrow.

7. Promiscuous Mode: Choose Accept.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 55 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
8. Will the Flow Sensor Virtual Edition be monitoring another virtual switch in this VMware environment?
If yes, go back to 2. Configuring the Flow Sensor to Monitor Traffic, and repeat all the steps for the next virtual switch.
9. Go to 3. Installing the Virtual Appliance

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 56 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
3. Installing the Virtual Appliance
Use the following instructions to install a virtual appliance on your hypervisor host and define the virtual appliance management and monitoring ports.
Some of the menus and graphics may vary from the information shown here. Please refer to your VMware guide for details related to the software.
1. Log in to your VMware Web Client. 2. Locate the virtual appliance software file (ISO) that you downloaded from Cisco
Software Central. 3. Make the ISO available in vCenter. You have the following options:
l Upload the ISO to a vCenter datastore. l Add the ISO to a content library. l Keep the ISO on your local workstation, and configure the deployment to
reference that file. See the VMware documentation for more information. 4. From the vCenter UI, select Menu > Hosts and Clusters. 5. In the navigation pane, right click a cluster or host and select New Virtual Machine… to access the New Virtual Machine wizard. 6. From the Select a creation type window, select Create a new virtual machine, then click Next.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 57 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
7. From the Select a name and folder window, enter a Virtual machine name, select a location for the virtual machine, then click Next.
8. From the Select a compute resource window, select a cluster, host, resource pool, or vApp to which you will deploy the appliance, then click Next.

9. From the Select storage window, select a VM Storage Policy from the drop- down, then select a storage location, then click Next.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 58 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

10. From the Select compatibility window, select a virtual machine version from the Compatible with drop-down, based on your current deployed ESXi version. For example, the following screenshot shows ESXi 7.0 and later because ESXi 7.0 is deployed. Click Next.

11. From the Select a guest OS screen, select the Linux Guest OS Family and the Debian GNU/Linux 11 (64-bit) Guest OS Version. Click Next.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 59 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
12. From the Customize hardware window, configure the virtual hardware. Refer to Resource Requirements for specific recommendations for your appliance type. This step is critical for system performance. If you choose to deploy Cisco Secure Network Analytics appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 60 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)

In addition to the resource requirements, make sure the following settings are selected:
l Click New Hard disk to expand the configuration options. Select Thick Provision Lazy Zeroed from the Disk Provisioning drop-down.
l Click New SCSI controller to expand the configuration options. Select LSI Logic SAS from the Change Type drop-down. If you do not select LSI Logic SAS, your virtual appliance may fail to properly deploy.
l In the New CD/DVD Drive field, select an ISO location based on where you have stored the ISO. Click New CD/DVD Drive to expand the configuration options. Check Connect At Power On.
l If the appliance is a Flow Sensor, and you are configuring 10 Gbps throughput for the NIC, click CPU to expand the configuration options. Configure all Cores per Socket so all CPUs are in one socket.
13. Data Nodes: If you are deploying a Data Node virtual appliance, also add a second network adaptor.
Click Add New Device, then select Network Adapter and ensure the Adapter Type is VMXNET3.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 61 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
l For the first network adaptor, select a switch that will allow the Data Node Virtual Edition to communicate on a public network with other appliances.
l For the second network adaptor, select the switch that you created in 1. Configuring an Isolated LAN for inter-Data Node Communications that will allow the Data Node Virtual Edition to communicate on a private network with other Data Nodes.
Ensure that you properly assign the network adaptors and virtual switches for every Data Node in your deployment as you deploy each Data Node.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 62 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
14. From the Ready to complete window, review your settings, then click Finish.

15. The deployment starts when you click the Power On icon. Monitor the deployment progress in the Recent Tasks section. Make sure the deployment is completed and shown in the Inventory tree before you go to the next steps.
16. Next Steps:
l Flow Sensors: If the appliance is a Flow Sensor and will be monitoring more than one virtual switch in the VMware environment, or more than one VDS in a cluster, continue with the next section 4. Defining Additional Monitoring Ports (Flow Sensors only).
l All Other Appliances: Repeat all of the procedures in this section 3. Installing the Virtual Appliance to deploy another virtual appliance.
17. If you have finished installing all virtual appliances in your system, go to 4. Configuring Your Secure Network Analytics System.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 63 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
4. Defining Additional Monitoring Ports (Flow Sensors only)
This procedure is required if the Flow Sensor Virtual Edition will be monitoring more than one virtual switch in a VMware environment or more than one VDS in a cluster.
If this is not the monitoring configuration for your Flow Sensor, you do not need to complete this procedure. To add Flow Sensor Virtual Edition monitoring ports, complete the following steps: 1. In the Inventory tree, right-click the Flow Sensor Virtual Edition. Select Edit Settings.

2. Use the Edit Settings dialog box to configure the following specified settings. 3. Click Add New Device. Select Network Adapter.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 64 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
4. Locate the new network adapter. Click the arrow to expand the menu, and configure the following: l New Network: Select an unassigned promiscuous port group. l Adapter Type: Select VMXNET 3. l Status: Check the Connect at Power On check box.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 65 –

3a. Installing a Virtual Appliance using VMware vCenter (ISO)
5. After reviewing the settings, click OK. 6. Repeat this procedure to add another Ethernet adapter as needed. 7. Next Steps:
l Flow Sensors: To configure another Flow Sensor, go to 2. Configuring the Flow Sensor to Monitor Traffic.
l All Other Appliances: Repeat all of the procedures in this section 3. Installing the Virtual Appliance to deploy another virtual appliance.
l If you have completed installing all virtual appliances in your system, go to 4. Configuring Your Secure Network Analytics System.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 66 –

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Overview
Use the following instructions to install your virtual appliances using a VMware environment with an ESXi Stand-alone server.
Secure Network Analytics v7.4.2 is compatible with VMware v7.0 or 8.0. We do not support VMware v6.0, v6.5, or v6.7 with Secure Network Analytics v7.4.x. For more information, refer to VMware documentation for vSphere 6.0, 6.5, and 6.7 End of General Support.
To use an alternative method, refer to the following:
l VMware vCenter: Use 3a. Installing a Virtual Appliance using VMware vCenter (ISO) .
l KVM: Use 3c. Installing a Virtual Appliance on a KVM Host (ISO).
Before You Begin
Before you begin the installation, complete the following preparation procedures:
1. Compatibility: Review the compatibility requirements in Compatibility. 2. Resource Requirements: Review the Resource Requirements section to
determine the required allocations for the appliance. You can use a resource pool or alternative method to allocate resources. 3. Firewall: Configure your firewall for communications. Refer to 1. Configuring Your Firewall for Communications. 4. Files: Download the appliance ISO files. Refer to 2. Downloading Virtual Edition Installation Files for instructions. 5. Time: Confirm the time set on the hypervisor host in your VMware environment (where you will be installing the virtual appliance) shows the correct time. Otherwise, the virtual appliances may not be able to boot up.
Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Secure Network Analytics appliances.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 67 –

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Do not install VMware Tools on a Secure Network Analytics virtual appliance because it will override the custom version already installed. Doing so would render the virtual appliance inoperable and require reinstallation.
Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Use the following instructions to install your virtual appliances using a VMware environment with an ESXi Stand-alone server.
Process Overview
Installing a virtual appliance involves completing the following procedures, which are covered in this chapter:
1. Logging in to the VMware Web Client
2. Booting from the ISO
Data Nodes
If you are deploying Data Nodes, follow the instructions in the previous section 1. Configuring an Isolated LAN for inter-Data Node Communications before you complete the procedures in this section.
1. Logging in to the VMware Web Client
Some of the menus and graphics may vary from the information shown here. Please refer to your VMware guide for details related to the software.
1. Log in to the VMware Web Client. 2. Click Create/Register a Virtual Machine. 3. Use the New Virtual Machine dialog box to configure the appliance as specified in
the following steps. 4. Select Creation Type: Select Create a New Virtual Machine.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 68 –

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

5. Select a Name and Guest OS: Enter or select the following: l Name: Enter a name for the appliance so you can identify it easily. l Compatibility: Select the version you are using (v7.0 or 8.0). l Guest OS family: Linux. l Guest OS version: Select Debian GNU/Linux 11 64-bit.
6. Select Storage: Select an accessible datastore. Review Resource Requirements to confirm you have enough space.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 69 –

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)
Review Resource Requirements to allocate sufficient resources. This step is critical for system performance.
If you choose to deploy Cisco Secure Network Analytics appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
7. Customize Settings: Enter or select your appliance requirements (refer to Resource Requirements for details).
Make sure you select the following:
l SCSI Controller: LSI Logic SAS l Network Adapter: Confirm the management address for the appliance. l Hard Disk: Thick Provisioning Lazy Zeroed
If the appliance is a Flow Sensor, you can click Add Network Adapter to add another management or sensing interface. If the appliance is a Flow Sensor, and you are configuring 10 Gbps throughput for the NIC, click CPU to expand the configuration options. Configure all all CPUs in one socket. If the appliance is a Data Node, add another network interface to allow interData Node communications. Click Add Network Adapter.
l For the first network adaptor, select a switch that will allow the Data Node Virtual Edition to communicate on a public network with other appliances.
l For the second network adaptor, select the switch that you created in 1. Configuring an Isolated LAN for inter-Data Node Communications that will allow the Data Node Virtual Edition to communicate on a private network with other Data Nodes.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 70 –

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

8. Click the arrow next to Network Adapter. 9. For the Adapter Type, select VMXnet3.
While Cisco supports the use of E1000 (1G dvSwitch), 1G PCI-passthrough, and VMXNET 3 interfaces, Cisco strongly recommends that you use the VMXNET3 interface as it has been proven to provide the best network performance for Cisco virtual appliances.
10. Review your configuration settings and confirm they are correct.
11. Click Finish. A virtual machine container is created.
2. Booting from the ISO
1. Open the VMware console. 2. Connect the ISO to the new virtual machine. Refer to the VMware guide for details. 3. Boot the virtual machine from the ISO. It runs the installer and reboots automatically. 4. Once the installation and reboot are completed, you will see the login prompt.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 71 –

3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO)

5. Disconnect the ISO from the virtual machine. 6. Repeat all of the procedures in 3b. Installing a Virtual Appliance on an ESXi
Stand-Alone Server (ISO) for the next virtual appliance. 7. Flow Sensors: If the appliance is a Flow Sensor, finish the setup using the previous
sections of this manual:
l 2. Configuring the Flow Sensor to Monitor Traffic (use Monitoring a vSwitch with a Single Host)
l If the Flow Sensor will be monitoring more than one virtual switch in the VMware environment, or more than one VDS in a cluster, go to 4. Defining Additional Monitoring Ports (Flow Sensors only).
8. If you have completed installing all virtual appliances in your system, go to 4. Configuring Your Secure Network Analytics System.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 72 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
3c. Installing a Virtual Appliance on a KVM Host (ISO)
Overview
Use the following instructions to install your virtual appliances using KVM and Virtual Machine Manager. To use an alternative method, refer to the following:
l VMware vCenter: Use 3a. Installing a Virtual Appliance using VMware vCenter (ISO) .
l VMware ESXi Stand-Alone Server: Use 3b. Installing a Virtual Appliance on an ESXi Stand-Alone Server (ISO).
Linux KVM has been tested and validated on a number of KVM host versions. Refer to KVM for a detailed list of the KVM components that we have tested and validated for Secure Network Analytics versions 7.3.1 and above.
Before You Begin
Before you begin the installation, make sure you’ve completed the following procedures:
1. Compatibility: Review the compatibility requirements in Compatibility. 2. Resource Requirements: Review the Resource Requirements section to
determine the required allocations for the appliance. You can use a resource pool or alternative method to allocate resources. 3. Firewall: Configure your firewall for communications. Refer to 1. Configuring Your Firewall for Communications. 4. Files: Download the appliance ISO files and copy them to a folder on the KVM host. We use the following folder in the example provided in this section: var/lib/libvirt/image. Refer to 2. Downloading Virtual Edition Installation Files for instructions. 5. Time: Confirm the time set on the hypervisor host in your VMware environment (where you will be installing the virtual appliance) shows the correct time. Otherwise, the virtual appliances may not be able to boot up.
Do not install an untrusted physical or virtual machine on the same physical cluster/system as your Secure Network Analytics appliances.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 73 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
Installing a Virtual Appliance on a KVM Host (ISO)
If you have a KVM host, use the following instructions to install a virtual appliance using the ISO.
Process Overview
Installing a virtual appliance involves completing the following procedures, which are covered in this chapter:
Configuring an Isolated LAN for Data Nodes
1. Installing a Virtual Appliance on a KVM Host
2. Adding NIC (Data Node, Flow Sensor) and Promiscuous Port Monitoring on an Open vSwitch (Flow Sensors Only)
Configuring an Isolated LAN for Data Nodes
If you are deploying Data Nodes Virtual Edition to your network, configure an isolated LAN with a virtual switch so that the Data Nodes can communicate with each other over eth1 for inter-Data Node communication. See your virtual switch’s documentation for more information on creating an isolated LAN.
1. Installing a Virtual Appliance on a KVM Host
There are several methods to install a virtual machine on a KVM host using a ISO file. The following steps give one example for installing a virtual Manager through a GUI tool called Virtual Machine Manager running on a Ubuntu box. You can use any compatible Linux distribution. For compatibility details, refer to Compatibility.
Monitoring Traffic
The Flow Sensor Virtual Edition has the ability to provide visibility into KVM environments, generating flow data for areas that are not flow-enabled. As a virtual appliance installed inside each KVM host, the Flow Sensor Virtual Edition passively captures Ethernet frames from traffic it observes and creates flow records containing valuable session statistics that pertain to conversational pairs, bit rates, and packet rates.
Configuration Requirements
This configuration has the following requirements:
l Promiscuous Mode: Enabled. l Promiscuous Port: Configured to an open vSwitch.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 74 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
We recommend that you use virt-manager 2.2.1 to install a virtual appliance on a KVM host.
Installing a Virtual Appliance on a KVM Host
To install a virtual appliance, and enable the Flow Sensor Virtual Edition to monitor traffic, complete the following steps:
1. Use Virtual Machine Manager to connect to the KVM Host and configure the appliance as specified in the following steps.
2. Click File > New Virtual Machine.
3. Select QEMU/KVM for your connection, and then select Local install media (ISO image or CDROM). Click Forward.

4. Click Browse to select the appliance image.
© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 75 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
5. Select the ISO file. Click Choose Volume. Confirm the ISO file is accessible by the KVM Host.
6. Deselect the “Automatically detect from the installation media/source” checkbox. Under Choose an operating system type and version, begin typing “Debian” and select the Debian 11 (debian 11) option that appears. Click Forward.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 76 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
7. Increase the Memory (RAM) and CPUs to the amount shown in the Resource Requirements section. Review Resource Requirements to allocate sufficient resources. This step is critical for system performance. If you choose to deploy Cisco Secure Network Analytics appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 77 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
8. Select Create a disk image for the virtual machine. 9. Enter the data storage amount shown for the appliance in the Resource
Requirements section. Click Forward.

Review Resource Requirements to allocate sufficient resources. This step is critical for system performance.
If you choose to deploy Cisco Secure Network Analytics appliances without the required resources, you assume the responsibility to closely monitor your appliance resource utilization and increase resources as needed to ensure proper health and function of the deployment.
10. Assign a Name for the virtual machine. This will be the display name, so use a name that will help you find it later.
11. Check the Customize configuration before install check box. 12. In the Network selection drop-down box, select the applicable network and port
group for installation.
Data Nodes: If this is a Data Node, select a network and port group that will allow the Data Node to communicate on a public network with other appliances.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 78 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
13. Click Finish. The configuration menu opens.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 79 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
14. In the navigation pane, select NIC. 15. Under Virtual Network Interface, select e1000 in the Device model drop-down box.
Click Apply.

16. Click VirtIO Disk 1. 17. In the Advanced Options drop-down list, select SCSI in the Disk bus drop-down
box. Click Apply. 18. Do you need to add additional NICS for monitoring ports on the Flow Sensor Virtual
Edition, or to enable inter-Data Node communications on a Data Node VE?
l If yes, go to 2. Adding NIC (Data Node, Flow Sensor) and Promiscuous Port Monitoring on an Open vSwitch (Flow Sensors Only).
l If no, go to the next step.
19. Click Begin Installation. 20. Go to 4. Configuring Your Secure Network Analytics System.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 80 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
2. Adding NIC (Data Node, Flow Sensor) and Promiscuous Port Monitoring on an Open vSwitch (Flow Sensors Only)
To add additional NICs for the Flow Sensor Virtual Edition monitoring ports or Data Node Virtual Edition and to complete the installation, complete the following steps:
1. In the Configuration Menu, click Add Hardware. The Add New Virtual Hardware dialog box displays.

2. In the left navigation pane, click Network.
If this is a Data Node, select a network and port group that will allow the Data Node to communicate on a public network with other appliances.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 81 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
3. Flow Sensors: If this is a Flow Sensor, click the Portgroup drop-down list to select an unassigned promiscuous port group you want to monitor. Click the Device Model drop-down list to select e1000. Data Nodes: If this is a Data Node, select a network source that will allow for interData Node communication on an isolated LAN, using the configuration that you created in Configuring an Isolated LAN for Data Nodes.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 82 –

3c. Installing a Virtual Appliance on a KVM Host (ISO)
4. Click Finish. 5. If you need to add another monitoring port, repeat these instructions. 6. After you have added all monitoring ports, click Begin Installation.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 83 –

4. Configuring Your Secure Network Analytics System

4. Configuring Your Secure Network Analytics System
If you’ve finished installing your Virtual Edition appliances and/or hardware appliances, you are ready to configure Secure Network Analytics into a managed system.
To configure Secure Network Analytics, follow the instructions in the Secure Network Analytics System Configuration Guide v7.4.2. This step is critical for the successful configuration and communication of your system.
Make sure you configure your appliances in the order specified in the System Configuration Guide.
System Configuration Requirements
Make sure you have access to the appliance console through the hypervisor host (virtual machine host). Use the following table to prepare the required information for each appliance.

Configuration Requirement

Details

Appliance

IP Address

Assign a routable IP address to the eth0 management port.

Netmask

Gateway

Host Name

A unique host name is required for each appliance. We cannot configure an appliance with the same host name as another appliance. Also, make sure each appliance host name meets the Internet standard requirements for Internet hosts.

Domain Name

A fully qualified domain name is required for each appliance. We cannot install an appliance with an empty domain.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 84 –

4. Configuring Your Secure Network Analytics System

DNS Servers

Internal DNS server for name resolution

NTP Servers

Internal Time server for synchronization between servers. At least 1 NTP server is required for each appliance.
Remove the 130.126.24.53 NTP server if it is in your list of servers. This server is known to be problematic and it is no longer supported in our default list of NTP servers.

Mail Relay Server

SMTP Mail server to send alerts and notifications

Flow Collector Export Port

Required for Flow Collectors only. NetFlow Default: 2055

Non-routable IP Address within a private LAN or VLAN (for inter-Data Node communication)

Required for Data Nodes only.
l Hardware eth2 or bond of eth2 and eth3. Creating an LACP eth2/eth3 bonded port channel for up to 20G throughput enables faster communication between and among Data Nodes, and quicker Data Node addition or replacement to the Data Store. Note that LACP port bonding is the only bonding option available for hardware Data Nodes.
l Virtual eth1
IP Address: You can use the provided IP address or enter a value that meets the following requirements for inter-Data Node communications.
l Non-routable IP Address from the 169.254.42.0/24 CIDR block,

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 85 –

4. Configuring Your Secure Network Analytics System

between 169.254.42.2 and 169.254.42.254.
l First Three Octets: 169.254.42
l Subnet: /24
l Sequential: For ease of maintenance, select sequential IP addresses (such as 169.254.42.10, 169.254.42.11, and 169.254.42.12).

eth0 Hardware Connection Port

Netmask: The Netmask is hard coded to 255.255.255.0 and cannot be modified.
Required for Secure Network Analytics with Data Store hardware appliances only:
l Manager l Flow Collector l Data Nodes
eth0 Hardware Connection Port Options:
l SFP+:

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 86 –

SNA Contacting Support
SNA Contacting Support
If you need technical support, please do one of the following: l Contact your local Cisco Partner l Contact Cisco Support l To open a case by web: http://www.cisco.com/c/en/us/support/index.html l To open a case by email: tac@cisco.com l For phone support: 1-800-553-2447 (U.S.) l For worldwide support numbers: https://www.cisco.com/c/en/us/support/web/tsd-cisco- worldwide-contacts.html

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

– 87 –

Copyright Information
Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: https://www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1721R)
© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

Change History

Document Version

Published Date

Description

1_0

February 27, 2023

Initial version.

1_1

March 27, 2023

Updated the Communication Ports and Protocols table.

1_2

March 27, 2023

Corrected a typo.

Improved descriptions of VMware support. Removed

1_3

April 20, 2023

“Supported Hardware Metrics” table as this is a virtual guide. Improved descriptions of KVM host version

support.

1_4

August 15, 2023

Changed memory resource note from GB to GiB.

1_5

April 27, 2023

Added support for VMware 8.0. Revised Deployment recommendations.

© 2023 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

References

• Support - Cisco Support and Downloads – Documentation, Tools, Cases - Cisco
• Create a vSphere Distributed Switch
• Create a vSphere Standard Switch
• Cisco Software Central
• Cisco Secure Network Analytics - Cisco
• Cisco Secure Network Analytics - Install and Upgrade Guides - Cisco
• Cisco Secure Network Analytics - Install and Upgrade Guides - Cisco
• Cisco Secure Network Analytics - Install and Upgrade Guides - Cisco
• Cisco Secure Network Analytics - Technical References - Cisco
• Cisco Worldwide Support Contacts - Cisco
• Cisco Trademarks - Cisco

Read User Manual Online (PDF format)

Read User Manual Online (PDF format)  >>

Download This Manual (PDF format)

Download this manual  >>