0% found this document useful (0 votes)

36 views

SNA101-7

Uploaded by

sephy25

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

36 views

SNA101-7

Uploaded by

sephy25

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 257

Cisco dCloud

Cisco SNA 7.4.1 Field Engineer Training Lab v1

Last Updated: 14-Novembery-2022

About This Lab

The goal of this hands-on lab is to provide a Field Engineer the skills and methodology required to successfully install and
configure SNA. By completing the included lab scenarios, you will deploy several SNA appliances in a simulated customer
environment. The scenarios will walk you through the process of initial configuration of the appliances within the solution, as well
as integrating them into the customer environment. This lab will give you the ability to become familiar with the installation of SNA
prior to going onsite at a customer.

These scenarios and associated dCloud lab environment utilize virtual models of the SNA Management Console (SMC), Flow
Collector (FC), Flow Sensor (FS), Data Node (DN), and Cisco Telemetry Broker. At the end of the training lab, your “customer” will
have a fully functional SNA environment. Alarm tuning is not in scope for this training lab, although Response Management and
SNA System Alarms are covered as it is required during a typical initial SNA implementation.

The included series of lab scenarios are designed to be completed over a 2-day consecutive period. It is possible to perform all lab
activities in a single day as long as all lab steps are followed as instructed.

Day 1 Lab Scenarios: 1-10

Day 2 Lab Scenarios: 11-20

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 1 of 257
Cisco dCloud

This SNA training includes the following Lab Scenarios:

About This Lab 1

Scenario 1. First Time Setup – Appliance Console 5
Scenario 2. Appliance Setup Tool 25
Scenario 3. Data store config 64
Scenario 4. Appliance Post-Install Configuration & Verification 78
Scenario 5. Additional Manager and Central Management Configuration 102
Scenario 6. Configure Host Groups 118
Scenario 7. Cisco Router NetFlow Configuration and Validation 131
Scenario 8. Cisco Router ETA Configuration and Validation 140
Scenario 9. Custom Security Events 152
Scenario 10. Verify Flow Data and Exporters 159
Scenario 11. Classification of Customer Environment 171
Scenario 12. Classification of Undefined Applications and Services 188
Scenario 13. Cisco ISE Integration (Identity Services Engine) 199
Scenario 14. Configure the AD LDAP Lookup Feature 216
Scenario 15. Creating a Report 221
Scenario 16. Response Management 228
Scenario 17. Configure Appliance SNMP Agent 243
Scenario 18. Determine Estimated Datastore Storage Capacity 247
Scenario 19. Create Configuration Backups 250
Scenario 20. SNA Patching – Central Management 253

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 2 of 257
Cisco dCloud

Resources
For more information:

• Cisco SNA Tech Talk Sessions: https://communities.cisco.com/docs/DOC-30977

o Pre-requisite instructional requirement for this Lab

• Visit the Cisco dCloud help page: https://dcloud-cms.cisco.com/help

• Access all available Cisco dCloud content: https://dcloud.cisco.com

• dCloud Contact Us: https://dcloud-cms.cisco.com/help/contact-us-security

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 3 of 257
Cisco dCloud

Topology
All lab scenario content utilizes a dedicated SNA Manager (SMC), a Flow Collector (FC), Cisco Telemetry Broker, and a Flow
Sensor (FS) appliance. Various scenarios throughout the course will make use of additional systems as necessary.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 4 of 257
Cisco dCloud

Scenario 1. First Time Setup – Appliance Console

You will be connecting to the Virtual Machine console of the SNA appliances to complete the First Time Setup process. This
should be completed prior to running the AST so that all networking configuration can be completed and the appliances will be
available to administer over HTTPS. The dCloud lab environment allows you to connect with the actual VM console of the virtual
machine. This would be similar to having access to VMware vCenter, the KVM administration console, or the KVM (keyboard,
video, mouse).

The steps in this lab will be performed from the dCloud page showing the diagram of the lab.

NOTE: Some of the network configuration of the appliances has already been completed due to the nature of the lab. In a
customer environment all network values would need to be entered manually.

SNA Management Console

1. Locate the SMC object on the lab topology diagram and click the arrow to show the grey balloon window.

2. Click VM Console

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 5 of 257
Cisco dCloud

3. A new browser windows will open on your computer showing the console of the appliance.

NOTE: You may need to use your mouse cursor to click in the console window and press the Enter key to have the login
prompt appear. If there are any boot error messages, please disregard.

4. At the login prompt, enter the following credentials and login

a. User: root

b. Password: lan1cope

5. After logging in, type the comand SystemConfig and press Enter.

6. Press Enter on the Login Inforamtion screen.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 6 of 257
Cisco dCloud

7. Press Enter on the First Time Setup screen

8. You will be prompted to enter in the network configuration for the appliance. Use the following values and use the arrow
keys on your keyboard to navigate between the different fields.

a. IP Address: 198.19.20.136

b. Netmask: 255.255.255.0

c. Gateway: 198.19.20.1

d. Broadcast: 198.19.20.255

e. Host Name: smc

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 7 of 257
Cisco dCloud

f. Domain: dcloud.cisco.com

9. Once the values have been entered in correctly, use the arrow keys on your keyboard to navigate to the OK button and
hit Enter.

10. Verify that the settings are correct and choose YES.

11. The appliance will begin to process the change. This may take a few moments.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 8 of 257
Cisco dCloud

12. The First Time Setup completion screen is now displayed. Choose OK and the appliance will restart.

13. You may continue with the next section of the lab.

Datastore Node
14. Locate the Datastore object on the lab topology diagram and click the arrow to show the grey balloon window.

15. Click VM Console

16. A new browser windows will open on your computer showing the console of the appliance.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 9 of 257
Cisco dCloud

NOTE: You may need to use your mouse cursor to click in the console window and press the Enter key to have the login
prompt appear. If there are any boot error messages, please disregard.

17. At the login prompt, enter the following credentials and login

a. User: root

b. Password: lan1cope

18. After logging in, type the comand SystemConfig and press Enter.

19. Press Enter on the Login Inforamtion screen.

20. Press Enter on the First Time Setup screen

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 10 of 257
Cisco dCloud

21. You will be prompted to enter in the network configuration for the appliance. Use the following values and use the arrow
keys on your keyboard to navigate between the different fields.

c. IP Address: 198.19.20.101

d. Netmask: 255.255.255.0

e. Gateway: 198.19.20.1

f. Broadcast: 198.19.20.255

g. Host Name: datastore

h. Domain: dcloud.cisco.com

22. Once the values have been entered in correctly, use the arrow keys on your keyboard to navigate to the OK button and
hit Enter.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 11 of 257
Cisco dCloud

23. Verify that the settings are correct and choose YES.

NOTE: The datastore appliance has some unique settings in the First Time Setup screen. You have just configured the
management interface but you must also configure a second network interface for the inter-Data Node communication
(communication with other data nodes). This is required even if there is only one datastore appliance.

24. Choose OK when prompted for the inter-Data Node communication IP address.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 12 of 257
Cisco dCloud

25. Choose Yes when prompted to verify the settings.

26. The appliance will begin to process the change. This may take a few moments.

27. The First Time Setup completion screen is now displayed. Choose OK and the appliance will restart.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 13 of 257
Cisco dCloud

28. You may continue with the next section of the lab.

Flow Collector
29. Locate the FC object on the lab topology diagram and click the arrow to show the grey balloon window.

30. Click VM Console

31. A new browser windows will open on your computer showing the console of the appliance.

NOTE: You may need to use your mouse cursor to click in the console window and press the Enter key to have the login
prompt appear. If there are any boot error messages, please disregard.

32. At the login prompt, enter the following credentials and login

a. User: root

b. Password: lan1cope

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 14 of 257
Cisco dCloud

33. After logging in, type the comand SystemConfig and press Enter.

34. Press Enter on the Login Inforamtion screen.

35. Press Enter on the First Time Setup screen

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 15 of 257
Cisco dCloud

36. You will now be prompted whether this Flow Collecter appliance will participate in an SNA domain with a datastore node
or will participate in a domain without datastores. This does not make the Flow Collector into a datastore but rather
changes its behavior to send its data to the datastore node rather than storing locally in its own database on disk.

a. Choose Yes and hit Enter

37. Hit Enter to continue

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 16 of 257
Cisco dCloud

38. Ensure that all telemetry options are selected (they have the asterisk * in the field), choose OK and then hit Enter.

39. Configure the ports for the telemetry types as shown below

a. Netflow: 2055

b. Network Visibility Module: 2030

c. Firewal Logs: 8514

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 17 of 257
Cisco dCloud

40. Verify your settings are correct, choose Yes, and hit Enter.

41. You will be prompted to enter in the network configuration for the appliance. Use the following values and use the arrow
keys on your keyboard to navigate between the different fields.

a. IP Address: 198.19.20.137

b. Netmask: 255.255.255.0

c. Gateway: 198.19.20.1

d. Broadcast: 198.19.20.255

e. Host Name: fcnf

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 18 of 257
Cisco dCloud

f. Domain: dcloud.cisco.com

42. Once the values have been entered in correctly, use the arrow keys on your keyboard to navigate to the OK button and
hit Enter.

43. Verify that the settings are correct and choose YES.

44. The appliance will begin to process the change. This may take a few moments.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 19 of 257
Cisco dCloud

45. The First Time Setup completion screen is now displayed. Choose OK and the appliance will restart.

46. You may continue with the next section of the lab.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 20 of 257
Cisco dCloud

Flow Sensor
47. Locate the FS object on the lab topology diagram and click the arrow to show the grey balloon window.

48. Click VM Console

49. A new browser windows will open on your computer showing the console of the appliance.

NOTE: You may need to use your mouse cursor to click in the console window and press the Enter key to have the login
prompt appear. If there are any boot error messages, please disregard.

50. At the login prompt, enter the following credentials and login

a. User: root

b. Password: lan1cope

51. After logging in, type the comand SystemConfig and press Enter.

52. Press Enter on the Login Inforamtion screen.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 21 of 257
Cisco dCloud

53. Press Enter on the First Time Setup screen

54. You will be prompted to enter in the network configuration for the appliance. Use the following values and use the arrow
keys on your keyboard to navigate between the different fields.

a. IP Address: 198.19.20.138

b. Netmask: 255.255.255.0

c. Gateway: 198.19.20.1

d. Broadcast: 198.19.20.255

e. Host Name: fs

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 22 of 257
Cisco dCloud

f. Domain: dcloud.cisco.com

55. Once the values have been entered in correctly, use the arrow keys on your keyboard to navigate to the OK button and
hit Enter.

56. Verify that the settings are correct and choose YES.

57. The appliance will begin to process the change. This may take a few moments.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 23 of 257
Cisco dCloud

58. The First Time Setup completion screen is now displayed. Choose OK and the appliance will restart.

59. You may continue with the next section of the lab.

Scenario Summary
You have completed the First Time Setup configuration for the SNG Manager, Datastore Node, Flow Collector, and Flow Sensor
through their VM console/KVM console. This has configured the network settings for the appliances to be able to be administered
over the network. You may now continue the setup of the appliances by accessing them through a web browser and running the
Appliance Setup Tool (AST).

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 24 of 257
Cisco dCloud

Scenario 2. Appliance Setup Tool

The SNA appliances have already had their management IP addresses assigned and configured by the customer datacenter team
when the Virtual Machines were deployed. You will now access the customer virtual appliances via their individual management IP
addresses from the Workstation 1 (WKST1) located within your dCloud session. You will connect to WKST1 via a dCloud remote
desktop session (web browser or VPN) to complete the Appliance Setup Tool (AST) on each SNA Virtual appliance, as well as to
complete all remaining labs throughout the course.

NOTE: Even though the AST process is very similar for each of the appliances, you must complete all steps on each appliance for
them to work correctly prior to moving forward with the remaining configuration steps and labs.

Most customers will have their internal staff be responsible for the physical installation of appliances or the provisioning of virtual
appliances. You will likely need to be involved in assisting those efforts of your customer by providing product documentation and
guidance related to SNA physical and virtual appliance installation processes. You may also be called on to assist with the initial IP
configuration process. If necessary, refer to the SNA Documentation and Fire Jumper Tech Talks Sessions identified in the
Resources section of this document for more detailed information on the System Configuration Utility and configuring IP
addresses on each of the appliances.

Completion of the Appliance Setup Tool (AST) will configure the appliances to be able to communicate with the rest of the SNA
deployment within the customer environment. You will complete the AST on the appliances in the following order:

1. SNA Management Console (SMC)

2. Datastore Node (DS)

3. Flow Collector (FC)

4. Flow Sensor (FS)

NOTE: This is the install order as of v7.4.1. Ensure that the Manager is configured and accessible prior to moving forward as this
appliance will host Central Management for the appliances.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 25 of 257
Cisco dCloud

SNA Management Console

1. Ensure you are using a dCloud remote desktop session of the WKST1 system within your dCloud session. Click on
WKST1, and then click Remote Desktop. A remote desktop session should open within your current web browser.

i. NOTE: As an alternative to Web-based remote desktop, you can also use a native RDP client via a VPN tunnel
using Cisco AnyConnect. While more complicated to set up initially, it can provide you better control over screen
resolution and screen size of the remote system.

2. Open the Chrome web browser using the shortcut located on the desktop of WKST1.

3. Access the SMC web interface by selecting the Appliances bookmark folder in Chrome and then selecting the SMC
(Web UI) bookmark.

j. By default, SNA appliances use a self-signed certificate that is not trusted and will generate browser security
warnings. If presented with a browser security warning in Chrome, click the Advanced button, and then select
the Proceed link to open the login page.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 26 of 257
Cisco dCloud

4. Log in to the appliance using the SNA default user name of admin, and the default password of lan411cope. Click Sign
In to proceed.

k. User Name: admin

l. Password: lan411cope

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 27 of 257
Cisco dCloud

5. A Welcome admin page should appear, click OK.

6. The AST Welcome Page displays. Click Continue to proceed.

7. The Change Default Password screen is now displayed. You are now prompted to change the Default Passwords for
admin, root, and sysadmin. Pay close attention to the current passwords for each account as you complete the
following steps. It may take a few seconds to load completely.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 28 of 257
Cisco dCloud

m. ADMIN is already selected. Enter the following information then click Next:

i. Current Password: lan411cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

n. ROOT is now selected. Enter the following information then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

o. SYSADMIN is now selected. Enter the following information then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

8. The Management Network Interface screen will now display. No changes are needed as you have verified that all the
settings are correct. Click Next to proceed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 29 of 257
Cisco dCloud

9. The Host Name and Domains screen will now display. Enter the following values and then click Next.

p. Host Name: smc

q. Network Domain: dcloud.cisco.com

r. Manager Domain: FETRAINING

s. Manager Domain Type: Data Store

t. IP Address Ranges: leave as default at this time

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 30 of 257
Cisco dCloud

10. The DNS Settings screen is displayed. We will now add the necessary DNS servers to our environment.

NOTE: Pay very close attention to the IP Addressing scheme used in dCloud. It is 198.x not 192.x.

u. To add the first DNS Server, Click the + icon

i. Enter 198.19.20.10

v. To Add the second DNS Server, Click the + icon

i. Enter 198.19.20.134

w. Once both DNS entries are listed, click Next to continue

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 31 of 257
Cisco dCloud

11. The NTP Settings screen displays. We will now enter correct NTP settings for our environment.

x. Check the Delete checkboxes in front of all 3 default NTP entries and then click the – button

i. All entries should have been removed

y. Click the + button

i. Enter 198.18.128.1 in the new NTP entry field

ii. You should now only have a single entry for 198.18.128.1

z. Once only the single NTP entry remains, click Next.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 32 of 257
Cisco dCloud

12. The Review Your Settings screen is now displayed. If any values need to be edited before applying the configuration to
the appliance, you have the opportunity to do so now by clicking Cancel and making the needed changes. No changes
are required in our case. Click Restart and Proceed.

13. When prompted for the appliance restart, press OK in order to confirm the restart.

14. Allow the SMC to complete the reboot and startup sequence. This may take several minutes for the appliance web
interface to come online. Please try and refresh the SMC page after approximately 3 minutes.

15. When the login screen for the SMC appears, authenticate using admin \ C1sco12345

16. The SMC AST page appears. Click Continue.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 33 of 257
Cisco dCloud

17. You will now register the SMC appliance with the Central Management component running on the SMC. Confirm that the
IP address is 198.19.20.136 and click Save.

18. You have finished the AST for the SMC. Click Go to Dashboard.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 34 of 257
Cisco dCloud

19. You will now see the Security Insight Dashboard.

20. Click the Gear icon in the top right of the screen and select Central Management.

21. Central Management shows that the SMC appliance has successfully registered and has a status of Up. You may now
proceed with completing the AST on the other appliances.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 35 of 257
Cisco dCloud

Datastore Node
1. Open another Chrome web browser, or an additional tab within Chrome.

2. The address bar type, https://198.19.20.101 and hit Enter.

3. By default, SNA appliances use a self-signed certificate that is not trusted and will generate browser security warnings. If
presented with a browser security warning in Chrome, click the Advanced button, and then select the Proceed …
(unsafe) link to proceed to the appliance administration page.

4. Log in to the appliance using the default SNA username of admin, and the default password of lan411cope.

a. Username: admin

b. Password: lan411cope

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 36 of 257
Cisco dCloud

5. Click Ok on the Welcome popup that appears.

6. The AST Welcome Page will now display. Click Continue.

7. The Change Default Passwords screen will now display. As of version 7.x, you need to set the passwords for admin,
root, and sysadmin prior to proceeding. Pay attention to the default passwords in the following configuration steps as they
vary.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 37 of 257
Cisco dCloud

a. ADMIN is already selected. Enter the following information and then click Next:

i. Current Password: lan411cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

b. ROOT is now selected. Enter the following information and then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

c. SYSADMIN is now selected. Enter the following information and then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

8. The Management Network Interface screen will now display. No changes are needed as you have verified that all the
settings are correct. Click Next to proceed.

9. The Host Name and Domains screen is displayed. Enter the following information and then click Next to proceed.

a. Host Name: datastore

b. Network Domain: dcloud.cisco.com

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 38 of 257
Cisco dCloud

10. The DNS Settings screen is displayed. We will now add the necessary DNS servers to our environment.

NOTE: Pay very close attention to the IP Addressing scheme used in dCloud. It is 198.x not 192.x.

a. To add the first DNS Server, Click the + icon

i. Enter 198.19.20.10

b. To Add the second DNS Server, Click the + icon

i. Enter 198.19.20.134

c. Once both DNS entries are listed, click Next to continue

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 39 of 257
Cisco dCloud

11. The NTP Settings screen displays. We will now enter correct NTP settings for our environment.

a. Check the Delete checkboxes in front of all 3 default NTP entries and then click the – button

i. All entries should have been removed

b. Click the + button

i. Enter 198.18.128.1 in the new NTP entry field

ii. You should now only have a single entry for 198.18.128.1

c. Once only the single NTP entry remains, click Next.

12. The Review and Restart page is displayed. Click Restart and Proceed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 40 of 257
Cisco dCloud

13. Click OK to confirm the restart of the Datastore appliance.

14. Please be patient while the appliance restarts. Wait a minute or 2, then attempt to reload the webpage.

a. Continue to reload the page until you are presented with the Certificate Warning page. Click the Advanced
button, then the Proceed link.

b. Login to the appliance as admin \ C1sco12345. Then click Ok on the Welcome page.

15. Click Continue on the AST page that appears.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 41 of 257
Cisco dCloud

16. The Central Management Settings page displays. Enter 198.19.20.136 in the IP Address Field and then click Save.

17. An Add Trust Certificate page will display. Click Yes to trust the SMC Certificate. (Your screen may show a different
Fingerprint value. This is OK, please proceed.)

18. You are now prompted to enter your Manager (SMC) Administration credentials. Click Next when done.

a. User ID: admin

b. Password: C1sco12345

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 42 of 257
Cisco dCloud

19. The Appliance Setup Complete screen will eventually display. Click Go to Central Management.

20. You are directed to the SNA Central Management page on the SMC. You should see both currently configured SNA
appliances. Notice the Appliance Status for each appliance.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 43 of 257
Cisco dCloud

21. You may proceed with the next step in the lab.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 44 of 257
Cisco dCloud

Flow Collector
22. Open another Chrome web browser, or an additional tab within Chrome.

23. Access the Flow Collector web interface by selecting the Appliances bookmark folder in Chrome and then selecting the
FCNF bookmark.

24. By default, SNA appliances use a self-signed certificate that is not trusted and will generate browser security warnings. If
presented with a browser security warning in Chrome, click the Advanced button, and then select the Proceed …
(unsafe) link to proceed to the appliance administration page.

25. Log in to the appliance using the default SNA username of admin, and the default password of lan411cope.

a. Username: admin

b. Password: lan411cope

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 45 of 257
Cisco dCloud

26. Click Ok on the Welcome popup that appears.

27. The AST Welcome Page will now display. Click Continue.

28. The Change Default Passwords screen will now display. As of version 7.x, you need to set the passwords for admin,
root, and sysadmin prior to proceeding. Pay attention to the default passwords in the following configuration steps as they
vary.

a. ADMIN is already selected. Enter the following information and then click Next:

i. Current Password: lan411cope

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 46 of 257
Cisco dCloud

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

b. ROOT is now selected. Enter the following information and then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

c. SYSADMIN is now selected. Enter the following information and then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

29. The Management Network Interface screen will now display. No changes are needed as you have verified that all the
settings are correct. Click Next to proceed.

30. The Host Name and Domains screen is displayed. Enter the following information and then click Next to proceed.

a. Host Name: fcnf

b. Network Domain: dcloud.cisco.com

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 47 of 257
Cisco dCloud

31. The DNS Settings screen is displayed. We will now add the necessary DNS servers to our environment.

NOTE: Pay very close attention to the IP Addressing scheme used in dCloud. It is 198.x not 192.x.

a. To add the first DNS Server, Click the + icon

ii. Enter 198.19.20.10

b. To Add the second DNS Server, Click the + icon

ii. Enter 198.19.20.134

c. Once both DNS entries are listed, click Next to continue

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 48 of 257
Cisco dCloud

32. The NTP Settings screen displays. We will now enter correct NTP settings for our environment.

d. Check the Delete checkboxes in front of all 3 default NTP entries and then click the – button

ii. All entries should have been removed

e. Click the + button

iii. Enter 198.18.128.1 in the new NTP entry field

iv. You should now only have a single entry for 198.18.128.1

f. Once only the single NTP entry remains, click Next.

33. The Review and Restart page is displayed. Click Restart and Proceed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 49 of 257
Cisco dCloud

34. Click OK to confirm the restart of the Flow Collector.

35. Please be patient while the Flow Collector restarts. You will see a Processing notification followed by “This site can’t be
reached”. Wait a minute or 2, then attempt to reload the webpage.

a. Continue to reload the page until you are presented with the Flow Collector Certificate Warning page. Click the
Advanced button, then the Proceed link.

b. Login to the Flow Collector as admin \ C1sco12345. Then click Ok on the Welcome page.

36. Click Continue on the AST page that appears.

37. The Central Management Settings page displays. Enter 198.19.20.136 in the IP Address Field and then click Save.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 50 of 257
Cisco dCloud

38. An Add Trust Certificate page will display. Click Yes to trust the SMC Certificate. (Your screen may show a different
Fingerprint value. This is OK, please proceed.)

39. You are now prompted to enter your Manager (SMC) Administration credentials. Click Next when done.

a. User ID: admin

b. Password: C1sco12345

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 51 of 257
Cisco dCloud

40. The Central Management Settings page will display. Configure the following settings and press Next.

a. Select FETRAINING from the SNA Domain drop-down.

b. Enter 2055 as the Flow Collection Port.

41. The Appliance Setup Complete screen will eventually display. Click Go to Central Management.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 52 of 257
Cisco dCloud

42. You are directed to the SNA Central Management page on the SMC. You should see the currently configured SNA
appliances. Notice the Appliance Status for each appliance.

43. The FNCF’s Appliance’s status will eventually transition to “Up”, wait until it does and then proceed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 53 of 257
Cisco dCloud

Flow Sensor
1. Open another Chrome web browser, or an additional tab within Chrome.

2. Access the Flow Sensor web interface by selecting the Appliances bookmark folder in Chrome and then selecting the FS
bookmark.

4. Log in to the appliance using the default SNA username of admin, and the default password of lan411cope.

a. Username: admin

b. Password: lan411cope

5. Click Ok on the Welcome popup that appears.

6. The AST Welcome Page will now display. Click Continue to proceed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 54 of 257
Cisco dCloud

7. The Change Default Passwords screen will now display. You need to set the passwords for admin, root, and sysadmin
prior to proceeding. Pay attention to the default passwords in the following configuration steps as they vary.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 55 of 257
Cisco dCloud

a. ADMIN is already selected. Enter the following information and then click Next:

i. Current Password: lan411cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

b. ROOT is now selected. Enter the following information and then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

c. SYSADMIN is now selected. Enter the following information and then click Next:

i. Current Password: lan1cope

ii. New Password: C1sco12345

iii. Confirm New Password: C1sco12345

8. The Management Network Interface screen displays. No changes are needed as you have verified that all the settings
are correct. Click Next to proceed.

9. The Host Name and Domains screen are displayed. Set the following parameters, and then click Next to proceed.

a. Host Name: fs

b. Network Domain: dcloud.cisco.com

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 56 of 257
Cisco dCloud

10. The DNS Settings screen is displayed. We will now add the necessary DNS servers to our environment.

a. To add the first DNS Server, Click the + icon

i. Enter 198.19.20.10

b. To Add the second DNS Server, Click the + icon

i. Enter 198.19.20.134

c. Once both DNS entries are listed, click Next to continue

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 57 of 257
Cisco dCloud

11. The NTP Settings screen displays. We will now enter correct NTP settings for our environment.

a. Check the Delete checkboxes in front of all 3 default NTP entries and then click the – button

i. All entries should have been removed

b. Click the + button

i. Enter 198.18.128.1 in the new NTP entry field

ii. You should now only have a single entry for 198.18.128.1

c. Once only the single NTP entry remains, click Next.

12. The Review and Restart page is displayed. Click Restart and Proceed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 58 of 257
Cisco dCloud

13. Click OK to confirm the restart of the Flow Sensor.

14. Please be patient while the Flow Sensor restarts. You will see a ‘Processing…’ notification followed by “This site can’t be
reached”. Wait a minute or 2, then attempt to reload the webpage.

a. Continue to reload the page until you are presented with the Flow Sensor Certificate Warning page. Click the
Advanced button, then the Proceed link.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 59 of 257
Cisco dCloud

b. Login to the Flow Sensor as admin \ C1sco12345. Then click Ok on the Welcome page.

15. Click Continue on the AST page that appears.

16. The Central Management Settings page displays. Enter 198.19.20.136 in the IP Address Field and then click Save.

17. The Add Trust Certificate page appears. Click Yes.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 60 of 257
Cisco dCloud

18. You now need to enter your manager administration Credentials. Enter admin \ C1sco12345 then click Next.

19. The Central Management Settings page appears. Select FETRAINING from the SNA Domain dropdown.

20. Then, after the Select a Flow Collector dropdown appears, click fcnf from the list.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 61 of 257
Cisco dCloud

21. Click Next.

22. Be patient while waiting for the setup to complete. Click Go to Central Management when the button appears.

23. You should see all 4 appliances in the Central Management list.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 62 of 257
Cisco dCloud

24. The FS’s Appliance’s status will eventually transition to “Up”, then proceed.

25. Close the FS Administration tab leaving the Central Management tab open.

Scenario Summary
You have successfully completed the steps necessary to allow the Manager appliance to manage all SNA appliances within the
customer deployment. You are now ready to complete remaining additional appliance configuration tasks.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 63 of 257
Cisco dCloud

Scenario 3. Data store config

Now that all the customer appliances have gone through the AST and been added to the Manager, it is time for you to initialize the
datastore. You will be performing this process on the Manager over SSH. You will enable SSH in the Manager configuration to
allow you to connect over SSH and run the SystemConfig utility

Enable SSH on Manager

1. Find, or open, a Chrome connection to the SNA Central Management page on the SMC (https://198.19.20.136/central-
mgmt/).

2. Locate the entry for the SMC in the inventory and then click the circle icon to the right in the SMCs Actions column.

3. Select Edit Appliance Configuration from the pop-up menu. You can access many common configuration options from
this location. If “Edit Appliance Configuration” is not yet available, you will need to wait until the SMC Application Status
displays Up.

4. Scroll down and locate the SSH section and then check both the Enable SSH and Enable Root SSH Access options.

5. Click Apply Settings.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 64 of 257
Cisco dCloud

6. When asked to confirm the changes, select Apply Changes.

7. Return to the Central Management page.

8. The SMC appliance is receiving the configuration changes you made to enable SSH. Wait until the Appliance Status field
value changes to Connected before proceeding.

9. The SMC appliance is now connected and has SSH enabled.

Initialize Datastore
10. Open the putty shortcut on the desktop of WKST1.

11. In the Saved Sessions section of the PuTTY screen, select the SMC entry and then click Open.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 65 of 257
Cisco dCloud

12. If a warning appears, click Yes. (this warning simply states that the SSH key is different than the program remembers. In
this environment it is because the appliances are rebuilt and upgraded quite often and new SSH keys are generated)

13. The saved session prompts you to login.

14. Login as root with a password of C1sco12345 and then press Enter.

15. You should now be logged into the SMC console via SSH.

16. Type the command SystemConfig and press Enter

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 66 of 257
Cisco dCloud

17. At the Login information screen press Enter.

18. Choose the Data Store menu and press Enter.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 67 of 257
Cisco dCloud

19. Choose the SSH menu option and press Enter.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 68 of 257
Cisco dCloud

NOTE: If you do not have the required appliances, you will receive an error screen as show below.

20. The SSH key generation process may take approximately 1-2 minutes. Please wait until the process finishes.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 69 of 257
Cisco dCloud

21. When the success window appears, choose OK.

22. At the Data Store menu, choose Initialization and press Enter.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 70 of 257
Cisco dCloud

23. Press Enter to begin the initialization process and set passwords for FC to Datastore communication.

24. The Password Policy screen is displayed. Review the requirements and then choose OK.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 71 of 257
Cisco dCloud

25. When prompted to set the dbadmin password enter C1sco12345!

26. Confirm the dbadmin password by entering C1sco12345!

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 72 of 257
Cisco dCloud

27. When prompted to set the readonlyuser password enter C1sco12345!

28. Confirm the readonlyuser password by entering C1sco12345!

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 73 of 257
Cisco dCloud

29. The data store initialization should take less than 5 minutes in the lab environment. Please wait until the process has
completed before moving forward with the lab

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 74 of 257
Cisco dCloud

30. Once the data store initialization has completed Select OK.

31. Select OK on the notic about the previous SSH configuration.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 75 of 257
Cisco dCloud

32. Exit the System Configuration Utility

33. Return to the Central Management web user interface in the Chrome Browser window. Ensure that you are in Central
Management and on the Appliance Manager window.

34. Notice that the status of the Data Store appliance has changed and no longer shows “Data Store not Initialized.”

35. Select Data Store at the top of the screen. Review the Data Store page that displays. Notice the database and data store
status information is displayed along with the management IP and Private LAN IP of the data store node.

Scenario Summary
You have successfully completed the configuration of the data store node and the Flow Collector appliance so that the data store
is initialized and the Flow Collector is configured to store flow data in the data store node instead of its own local database. Now
that there is a location for data to be stored in the customer environment, you will proceed with additional appliance configuration
to prepare for taking in NetFlow data.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 76 of 257
Cisco dCloud

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 77 of 257
Cisco dCloud

Scenario 4. Appliance Post-Install Configuration & Verification

There are some additional settings that should be configured that are not available through the Appliance Setup tool (AST). As part
of the customer deployment, you will now complete required additional configuration and testing steps on the appliances.
Additional configuration includes settings that allow NetFlow to be processed by a Flow Sensor, NetFlow forwarding by a Cisco
Telemetry Broker appliance, enabling SSH access to all SNA appliances, and enabling the Cognitive integration where required.
We will also perform some proactive DNS and NTP testing to ensure a smooth deployment.

SSH console access is often used for several troubleshooting and verification steps throughout an implementation. You will
therefore enable the SSH service on each appliance. Cisco SNA has the ability to share information with the Cisco Cognitive
Analytics solution in order to provide additional detection and reporting capabilities regarding telemetry data found within SNA. In
order to complete this integration, we need to enable the capability on the SMC and Flow Collectors.

Additionally, you will verify that the values given to you by the customer for DNS and NTP are correct, and that those services are
functioning properly on the appliances. Completion of these steps is required in order for the SNA solution to become fully
functional and usable by the customer.

Enable SSH and Global Threat Alerts on Appliances

1. Find, or open, a Chrome connection to the SNA Central Management page on the SMC (https://198.19.20.136/central-
mgmt/).

2. Locate the entry for the SMC in the inventory and then click the circle icon to the right in the SMCs Actions column.

4. You have already enabled SSH for the Manager appliance. You will now enable Global Threat Alerts.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 78 of 257
Cisco dCloud

5. Click the General tab, scroll down until you see the External Services section, then place a checkmark in the following
boxes

a. Enable Global Threat Alerts.

b. Enable Threat Feed

6. Click Apply Settings.

7. When asked to confirm the changes, select Apply Changes.

8. Return to the SNA Central Management page on the SMC (https://198.19.20.136/central-mgmt/).

9. You will now enable SSH on the Flow Sensor (FS).

10. Locate the entry for the FS and then click the Action button (three dots icon) to the right in the FS’s Actions column.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 79 of 257
Cisco dCloud

11. Select Edit Appliance Configuration from the pop-up menu. We can access many common configuration options from
this location.

12. Scroll down and locate the SSH section and check both the Enable SSH and Enable Root SSH Access options.

13. Click Apply Settings.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 80 of 257
Cisco dCloud

14. When asked to confirm the changes, select Apply Changes.

15. Return to the SNA Central Management page on the SMC (https://198.19.20.136/central-mgmt/).

16. You will now enable SSH on the Data Node (DN).

17. Locate the entry for the datastore appliance and then click the Action button (three dots icon) to the right in the DN
Actions column.

18. Select Edit Appliance Configuration from the pop-up menu.

19. Scroll down and locate the SSH section and verify that both the Enable SSH and Enable Root SSH Access options are
enabled. If not, place a check mark and then Apply Settings to save the change.

20. Click Apply Settings.

21. Return to the Central Management page on the Manager (https://198.19.20.136/central-mgmt/).

22. You will now enable SSH on the Flow Collector (FCNF). Locate the entry for the FCNF and then click the circle icon to
the right in the FCNFs Actions column.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 81 of 257
Cisco dCloud

23. Select Edit Appliance Configuration from the pop-up menu.

24. Locate the SSH section and ensure both the Enable SSH and Enable Root SSH Access options are selected.

25. Click the General tab, scroll down until you see the External Services section, then click Enable Global Threat Alerts.

26. Click Apply Settings, then Apply Changes.

NOTE: By default, SSH and Root SSH are disabled on new appliances and must be enabled in order to use that access method.
As this access method is crucial for following the labs within this document, you should verify that it is enabled on each of the
appliances.

27. You should once again be returned to the Central Management page. Wait until both the Manager and FCNF appliances
are Up.

28. You can now verify that Global Threat Alerts (formally Cognitive) is enabled. Use an existing browser window or open a
new browser window to the SMC appliance.

29. Ensure you are on the Security Insight Dashboard. (Dashboards > Network Security)

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 82 of 257
Cisco dCloud

30. Scroll down until you see the new widget named Global Threat Alerts. If you do not see it, close your Chrome window,
re-open Chrome and reconnect/authenticate to the SMC appliance as admin/C1sco12345.

31. The GTA widget is shown on the dashboard and will show any alerts associated with the flow data in the environment.

32. The Global Threat Alerts widget may be completely blank at this point. That is normal. If it appears at all then you may
move on with the lab.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 83 of 257
Cisco dCloud

DNS Verification
You will now verify that the SMC appliance can successfully communicate with its configured DNS servers. While all appliances
should be able to successfully utilize DNS, it is vital for the SMC appliance as it must perform name resolution for various
documents in the product as well as utilize DNS resolution for licensing and threat feed access. In a customer environment, this
verification should be performed on all appliances.

1. Find, or open, a Chrome connection to the SNA Central Management page on the SMC (https://198.19.20.136/central-
mgmt/).

2. Locate the SMC entry and after clicking the associated Action icon, select View Appliance Statistics.

3. You should now see the SMC Appliance Administration Home page.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 84 of 257
Cisco dCloud

4. Click the Configuration menu and then select the Naming and DNS menu item.

5. Locate the Network Host and IP Lookup section.

a. Enter the IP address 198.19.20.10 in the Host name or IP Address field and then click Resolve

b. A new Chrome tab opens, showing the status of the DNS request. The request should be successful, and the
name associated with the PTR record of the IP address is displayed as ad1.dcloud.local.

c. You have verified that the appliance was able to successfully communicate with a valid DNS server. An
unsuccessful request would not have shown the PTR record for ad1.dcloud.local.

6. Close this Chrome tab and also close the previous Chrome tab until you return to the Central Management page on the
SMC.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 85 of 257
Cisco dCloud

NTP Verification
You will now verify that the SMC appliance can successfully communicate with its configured NTP server. NTP is a critical service
for all SNA appliances. Alarms will be raised in the product if time mismatches are discovered. In a customer environment, this
verification should be performed on all appliances. Just because your customer has given you the IP address of an NTP server
does not mean that it is a valid NTP server or that the appliances can communicate with it. You will now the SSH console to verify
NTP functionality.

1. For more advanced NTP troubleshooting and verification, the appliance console can be accessed. You will now connect
to the SMC via SSH to perform additional NTP troubleshooting.

2. Open the putty shortcut on the desktop of WKST1.

3. In the Saved Sessions section of the PuTTY screen, select the SMC entry and then click Open.

4. If a warning appears, click Yes. (this warning simply states that the SSH key is different than the program remembers. In
this environment it is because the appliances are rebuilt and upgraded quite often and new SSH keys are generated)

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 86 of 257
Cisco dCloud

5. The saved session prompts you to login.

6. Login as root with a password of C1sco12345 and then press Enter.

7. You should now be logged into the SMC console via SSH.

8. Run the following command to show the current time on the appliance:

hwclock --show

9. Verify that the result is a valid date and timestamp considering the time zone of the appliance (UTC).

10. Run the following command to display data about the status of the time source of the appliance:

chronyc ntpdata

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 87 of 257
Cisco dCloud

11. The response shows the time server and all data associated with it.

12. Run the following command to display data about the status of the time synchronization on the appliance:

chronyc tracking

13. The System Time field shows the difference between the time source and the system time.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 88 of 257
Cisco dCloud

NOTE: If you are unable to successfully communicate with the NTP server address provided to you in the customer environment,
there may be an ACL or firewall rule in the customer network blocking the traffic, or an incompatible NTP server.

14. You have successfully tested the appliance’s ability to communicate with the customer’s NTP server. You may close the
PuTTY SSH session.

15. You may also close all open Chrome tabs and/or windows leaving open only a single Central Management page on
WKST1.

NOTE: In a customer environment, it is important to verify all appliances can successfully communicate with their assigned NTP
servers.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 89 of 257
Cisco dCloud

Flow Sensor Configuration

1. Find, or open, a Chrome connection to the SNA Central Management page on the SMC (https://198.19.20.136/central-
mgmt/). You can click the SNA logo at the top left of the central Management window to return to the Inventory page at
any time.

2. Locate the FS entry and after clicking the associated Action icon, select View Appliance Statistics.

a. If prompted to authenticate, use:

i. Username: admin

ii. Password: C1sco12345

b. Click Ok at the Welcome popup.

3. You should now see the FlowSensor Web Administration page.

4. Click the Configuration menu and then select the NetFlow Collectors menu item.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 90 of 257
Cisco dCloud

5. Verify the entry for your Flow Collector running on 198.19.20.137 with port 2055 exists in the NetFlow Collectors page.

6. Click the Configuration menu and then select the Advanced Settings menu item.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 91 of 257
Cisco dCloud

7. Configure the following settings, and then click Apply once completed:

a. Export Packet Payload: Checked

b. Export Application Identification: Checked

i. Include IPv6: Checked

ii. Include HTTPS header Data: Checked

iii. Include HTTP Header Data: Checked

1. Export 256 bytes of the HTTP Request Path

c. Enable VXLAN Decapsulation: Unchecked

d. Enable GENEVE Decapsulation: Unchecked

e. Enable ERSPAN Decapsulation: Unchecked

f. Enable X-Forwarded-For Processing: Unchecked

g. Enable ETA Processing: Checked

h. IPFIX: Selected

i. Cache Mode: Use single…

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 92 of 257
Cisco dCloud

8. Click Apply to save your changes.

9. You have successfully completed the required additional Flow Sensor configuration. Close the FS Web Administration
page and return to Central Management. Proceed to the next step of the lab.

NOTE: The Advanced Settings options are very beneficial if enabled and configured correctly. The additional information they
provide in a customer environment is valuable.

Export Packet Payload: Enables the FS to export part of the packet payload to populate additional data in the SMC.

Export Application Identification: The FS can perform Deep Packet Inspection (DPI) since it is seeing actual raw network traffic
and not just the metadata provided by NetFlow records. It can use this ability to automatically classify certain types of network
traffic based on the contents of the packet and not just the port and protocol it is being transmitted over. For example, packets may
be sent over TCP port 80 but in fact they are instant message chat traffic and not simply web browsing.

Include IPv6: If the customer has IPv6 in their network, and you wish to have the FS generate NetFlow records for the IPv6 traffic,
then this should be enabled. Even if the customer states they do not have IPv6 it may be worthwhile to enable the option for
reporting purposes as in many cases IPv6 is actually in use without customer knowledge.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 93 of 257
Cisco dCloud

Include HTTPS Header Data: Include details such as the certificate used to sign/encrypt HTTPS traffic

Include HTTP Header Data: include details such as the URL of HTTP requests or other clear text data such as FTP, telnet, or
SMTP commands

Export x bytes of the HTTP Request Path: The amount of data from the HTTP Request Path to include with the flow record. By
default, this is set to 32 bytes. Increasing the size can result in more URL data being available in SNA but may generate additional
load on the FS appliance. The FS performance should be monitored when increasing the size of the Export.

Enable ETA Processing: Generate Encrypted Traffic Analytics flow data to be sent to the Cisco cloud for malware detection in
encrypted traffic without decryption.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 94 of 257
Cisco dCloud

Cisco Telemetry Broker Configuration

Your customer is using the Cisco Telemetry Broker to simplify configuration and forwarding of UDP management traffic. The Cisco
Telemetry Broker IP address is the single target of the customer’s NetFlow and Syslog traffic. You are responsible for configuring
the Cisco Telemetry Broker to forward this data to all systems needing to consume the UDP traffic. The Cisco Telemetry Broker is
crucial in this customer environment as all flow data passes through the appliance. If it is misconfigured, SNA will not have data to
properly function.

NOTE: The Cisco Telemetry Broker is an optional appliance responsible for being a single destination for NetFlow and other UDP
management traffic in a customer environment to reduce configuration complexity and increase flexibility with processing data such
as NetFlow, SNMP traps, and Syslog by multiple solutions, including SNA.

The IP address of the Cisco Telemetry Broker is the destination that the NetFlow exporters in the customer environment will send
their NetFlow records to. Without configuring the Cisco Telemetry Broker to forward that flow data on to the Flow Collector
appliance, there will never be any flow data to process within SNA.

1. Open the Chrome web browser using the shortcut located on the desktop of WKST1.

2. Access the Cisco Telemetry Broker Manager interface by selecting the Appliances bookmark folder in Chrome and then
selecting the Cisco Telemetry Broker Mgr bookmark.

3. Continue past any browser security messages

4. Login using the following username and password. This is a different password than others used in the lab.

a. Username: admin

b. Password: dCloud123!

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 95 of 257
Cisco dCloud

5. Once successfully logged in, click on the Destinations menu at the top of the screen.

6. Click Add Destination and select UDP Destination.

NOTE: SCA Destination is for Secure Cloud Analytics (formerly Stealthwatch Cloud). For Secure Network Analytics (Stealthwatch
Enterprise) choose UDP Destination. Only 1 SCA destination is supported.

7. Use the following values to configure the destination

a. Destination Name: SNA FC

b. Destination IP Address: 198.19.20.137

c. Destination UDP Port: 2055

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 96 of 257
Cisco dCloud

8. Click Save.

9. Click Add Rule.

10. On the Add Rule window, enter 2055 as the Receiving UDP Port value and click Save.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 97 of 257
Cisco dCloud

11. Click Add Destination.

12. Use the following values to configure the destination

a. Destination Name: Manager

b. Destination IP Address: 198.19.20.136

c. Destination UDP Port: 514

13. Click Add Rule.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 98 of 257
Cisco dCloud

14. On the Add Rule window, enter 514 as the Receiving UDP Port value and click Save.

15. On the Destinations screen you should see some amount of traffic being processed and the number of sources being
populated. (It may take a few minutes for the data to populate)

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 99 of 257
Cisco dCloud

NOTE: In this environment, and in most environments that have a single Flow Collector, it is desirable to have all NetFlow traffic
sent to the FC IP address via one rule. It is possible to specifically enter an IP addresses or CIDR range to only forward traffic from
certain sources to a specific destination.

This is more applicable in environments with large amounts of flow data that have multiple FC appliances in order to handle the
load. A very simple example of this is if there were a total of 100,000 flows per second (FPS) and it is desired to split the load
between two FCs. In that scenario, the forwarding rule for NetFlow should not utilize the “ALL” value in the Source IP Address field,
but rather specify the single IP address or CIDR range that should have its traffic sent to the appropriate FC. It may take multiple
entries to ensure that all source devices/networks are specified and forwarding data to the appropriate FC.

In some customer environments, NetFlow will not be configured to use the standard UDP port of 2055. An individual FC can only
accept flow traffic on a single port (however that port can be configured to be any port number). In an environment that has a Cisci
Telemetry Broker that utilizes non-standard NetFlow ports, it is possible to write the forwarding rule to accept traffic on UDP 9055
and forward to the FC on 2055 without having to make a configuration change on the FC to change the default port number. If
there are other solutions within the customer environment that need to also ingest NetFlow, another forwarding rule can be set to
forward flow with the original port number, or a different value based on the preferences of the solution’s administrator.

NOTE: In an environment without a Cisco Telemetry Broker (or UDPD), or an environment with only a single SMC, Syslog can be
configured to send directly to the IP address of the SMC appliance itself. If the customer environment has both primary and
secondary SMC appliances, both of those appliances will need the syslog data, and utilizing the Cisco Telemetry Broker, if
available, to forward data to both SMC’s would be beneficial.

16. You should now see 2 destinations in your destinations list. Validate these 2 entries! Labs will not work as expected if
you have any misconfigurations on this page.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 100 of 257
Cisco dCloud

a. NOTE: A common misconfiguration performed by students is to enter the IP addresses here as 192.x instead of
198.x

Scenario Summary
You have successfully completed the remaining configuration items for the Cisco Secure Network Analytics appliances in your
deployment. SSH has been enabled/verified to ensure that advanced troubleshooting tasks can be accomplished. The ability of the
appliances to reach their configured DNS servers has been verified. The ability of the appliances to reach their NTP servers has
also been verified. Advanced settings on the Flow Sensor appliance have been configured. The Cisco Telemetry Broker and its
rules have been configured so that flow data and syslog data can be processed by Cisco Secure Network Analytics.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 101 of 257
Cisco dCloud

Scenario 5. Additional Manager and Central Management Configuration

The Flow Sensor, Telemetry Broker, Data Node, and Flow Collector appliances have been fully configured at this point, but there is
still additional configuration to be performed in the Manager for the solution to properly function for the customer. You will now
utilize the Manager web UI to perform additional configuration of SNA for your customer.

1. Open another Chrome web browser, or an additional tab within Chrome.

a. If not already connected to the SMC Web UI, Access the SMC web interface by selecting the Appliances
bookmark folder in Chrome and then selecting the SMC (Web UI) bookmark

b. If prompted for authentication, use:

i. Username: admin

ii. Password: C1sco12345

2. Once logged into the SMC (Manager), navigate to Dashboards > Network Security.

3. Scroll down on this dashboard until you see the Flow Collection Trend section. You should start seeing flow data
represented in this widget. Hover your mouse over the data on the right side of the trend graph to see information about
the inbound flows. It may take a minute or two for the flow count to grow as flow has only just started coming into SNA
once the Telemetry Broker configuration was completed and synchronized. Feel free to wait and refresh the page until
you see at least a few hundred Flows Per Second in the Trend Graphic.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 102 of 257
Cisco dCloud

4. Select Monitor > Interfaces from the menu at the top of the page.

5. You should see many interfaces in the list. These interfaces are reporting NetFlow from your customer network.

6. Hover your mouse over one of the Current Utilization bar/percentage locations and you will receive some details.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 103 of 257
Cisco dCloud

7. Now that we have validated that we are seeing at least a portion of the expected data, we can continue with our remaining
Manager configuration tasks.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 104 of 257
Cisco dCloud

Account Creation
We have been using the default admin account for all activities up to this point. We will first add an email address to this account,
then we will create a generic SOC (Security Operations Center) account which will be seen again in a later scenario.

1. Return to the Manager Web Interface in Chrome (using the SMC WebUI bookmark if needed). Login using admin \
C1sco12345 if needed.

2. Click the gear icon, then click User Management

3. You will now add an email address for the admin account. Click the Actions Icon for the admin user account, then click
Edit.

4. Enter [email protected] as the email address field, then click Save.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 105 of 257
Cisco dCloud

5. You will now make a generic account for the customer’s Security Operations Center possibly to use later in order to run
dashboards on large screens in the SOC.

6. Click Create then click User

7. First, Configure the following parameters:

a. User Name: SOC

b. Email: [email protected]

c. Authentication Service: local

d. Password: C1sco12345

e. Confirm Password: C1sco12345

8. Next, scroll down to Role settings and set:

a. Web > Web Roles: Power Analyst

b. Desktop > Desktop Client Roles: Security Analyst

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 106 of 257
Cisco dCloud

9. Click Save

10. You should now see both users as expected and may continue with the next part of the lab scenario.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 107 of 257
Cisco dCloud

SNA App Installation

You have the ability to add SNA Apps to your customer’s deployment. Apps will provide us different ways to use the data received
by SNA and can be added to the deployment as needed without the need for a full version upgrade. In this portion of the lab
scenario, we will install 2 SNA Apps to be used later.

1. Return to the SMC Central Management Inventory page, then click App Manager.

2. You will see that there are not currently any Apps installed. Click Browse.

3. Navigate to WKST1 > Documents > Apps

4. Select app-smc-sw-diagrams-2.1.1-v2.swu then click Open

5. You will see an Upload progression bar followed by the Installation Status notification.

6. Once the App is installed, it will show up in the Apps list at the bottom of this page.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 108 of 257
Cisco dCloud

7. You will now install the second App

a. Click Browse

b. Click app-smc-sw-eta-report-3.2.1-v2.swu

c. Click Open

d. Wait for the installation to complete and the App to display in the list

8. Return to the Manager Web Interface by clicking the SMC (WebUI) bookmark in Chrome on the Appliances bookmark
folder

9. Hover your mouse pointer over the Dashboards menu and notice the 3 new Apps/Dashboards that are available.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 109 of 257
Cisco dCloud

10. There is no need to look at these dashboards yet. You will do this later after more NetFlow has been received from the
customer network.

SMTP
In order for SNA to be able to send alarms and scheduled reports via email, an SMTP relay server must be defined. Your customer
has provided you with the following SMTP server relay address and an email address the SMC can use to send messages.

From Email Address: [email protected]

SMTP Relay Address: 198.19.20.134

1. Access Central Management from the Manager web interface by clicking the Global Settings button (gear icon) and
selecting Central Management.

2. Click the Action button (three dots) for the SMC appliance and select Edit Appliance Configuration.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 110 of 257
Cisco dCloud

3. Click the Configuration Menu and select SMTP Configuration.

4. In the SMTP Configuration section enter the following values

a. SMTP Server: 198.19.20.134

b. From Email Address: [email protected]

c. Encryption Type: Unencrypted

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 111 of 257
Cisco dCloud

5. Click Apply Settings.

6. Confirm that you do want to apply the settings by clicking Apply Changes again.

NOTE: The SMTP Relay Address value can be either an IP address or DNS name of a valid SMTP server. The server specified
must allow the SMC IP address to relay mail through the server. This often requires a configuration change in the customer
environment on the SMTP server. The From Email Address value does not have to be a valid mailbox in the customer environment
although it is recommended to have the domain name match the customer DNS domain name for their email addresses. When the
SMC sends emails, the value you enter in the From Email Address field will be the sender of the scheduled reports and alarms
sent by the SMC.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 112 of 257
Cisco dCloud

Archive Hour
The Archive Hour value defines when a new day of data collection starts within a SNA domain and resets the index counts such as
the High Concern Index or High Target Index at that time. In a customer environment, the archive hour should be set to midnight in
the time zone where the primary users/administrators of SNA are located.

1. Return to the main manager web UI homepage with the Security Insight Dashboard, click the Configure menu, and
choose Domain Properties.

2. Click Edit

3. Our customer happens to be in Atlanta, GA USA which is located in the EDT/EST time zone. In order for the Archive Hour
to be midnight in that time zone, you need to change it to 0 EST/EDT.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 113 of 257
Cisco dCloud

NOTE: The Time Zone displayed in the manager web interface is that of the computer you are accessing the interface
from. If you need to change the archive hour to be midnight in US Eastern time and your administrative workstation is on
UTC+0 time zone then you will need to adjust the archive hour value accordingly.

4. Click Save

Exporter SNMP Configuration

SNA uses SNMP to obtain interface name, type, description, and speed of the exporter interfaces sending NetFlow to the Flow
Collectors. Multiple SNMP community strings may be used by SNA with different settings. You will now configure an SNMP
community string on the Manager that it will use to poll your customer’s exporter devices.

1. Return to the Manager Web Interface in Chrome (using the SMC WebUI bookmark if needed). Login using admin \
C1sco12345 if needed.

2. Click the Configure menu and select Exporters.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 114 of 257
Cisco dCloud

3. Click Exporter SNMP Profiles.

4. Click Add New

5. Use the following values to configure the SNMP community string

a. Name: Standard v2 String

b. Version: 2c

c. Port: 161

d. Polling: every 60 minutes

e. Community: SupaSecretV2

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 115 of 257
Cisco dCloud

6. Click Save

7. Change the default SNMP community string configuration used by the Manager by clicking the drop down menu under
Default Config and choosing Standard v2 String.

8. Click Save.

9. You have successfully created the SNMP community string as provided to you by your customer. Proceed to the next
step in the lab

NOTE: It is recommended that the polling interval be set to 720 minutes (12 hours) or higher in production to reduce SNMP traffic
and load on the SMC as well as exporters. In the lab environment for dCloud it is set to a lower value for lab purposes.

NOTE: You may create multiple SNMP configurations in SNA. Very rarely will a customer have only one single SNMP community
string in use for all of their network devices. Some devices may use SNMP v2 while others have SNMP v3. Some devices may
need settings for 10gbps interfaces and some may be from a different vendor that requires different settings. All of these
configurations are supported. Whichever community string is the most prevalent should be selected as the “default” community
string. The SMC will attempt to communicate with all devices on the Default community string. Any devices that require a different
community string to be used can have their individual SNMP setting manually configured per device in the SMC.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 116 of 257
Cisco dCloud

Scenario Summary
In this scenario, you verified that at least some portion of inbound NetFlow was being processed. You will look at this more soon in
order to identify specific exporter issues, if any exist. You also performed some additional customization of SNA for your customer,
such as, creating user accounts, adding 3 SNA Apps to the customer deployment, setting the archive hour, configuring SMTP and
SNMP polling.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 117 of 257
Cisco dCloud

Scenario 6. Configure Host Groups

The customer has provided you with a list of IP addresses and ranges in response to your request for IP data containing locations,
server types, applications, public IP space, authorized network scanners, etc. at the beginning of the project. You will now input
this IP data into the Manager and configure the appropriate host groups. Use the table below throughout the lab as needed.
Proceed with the instructions in the lab. It is important to remember that any information provided by the customer may not be
completely accurate.

Description IP Address

DNS Server 10.10.30.15

10.10.30.16

Vulnerability Scanner 10.203.0.207

Mail Server 10.10.30.23

Time Server 10.10.30.10

Public IP Address Space 209.182.184.0/24

Atlanta 10.201.0.0/16

IT 198.19.30.0/24

IT Servers 198.19.20.0/24

Employee VPN 198.19.10.100-103

198.19.10.200-203

PCI Devices 10.201.3.0/24

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 118 of 257
Cisco dCloud

Configure Public IP Space

NOTE: Host groups can only contain IP address data (MAC addresses or DNS names are not permitted). IP addresses can be
entered in several different formats. Single IP addresses can be entered such as 10.1.2.3. Hyphenated ranges can be specified
within an octet such as 192.168.1.1-57, 10.1-167.1.1, 172.22.0-255.0-255. Do not specify a range in the format of full IP address –
full IP address (192.168.1.1-192.168.1.254). The range must be within an octet (192.168.1.1-254). CIDR notation may also be
used such as 10.245.0.0/16 and can be combined with ranges such as 10.100-201.6.0/24 or 172.22-23.0.0/16.

NOTE: The Catch All group in SNA performs a special function within the product. The contents of the Catch All group establish
what IP addresses a company utilizes, owns, or otherwise controls. By default, this includes all private IPv4 and IPv6 address
space. Just because a customer does not currently use a specific private address range that does not mean it should be taken out
of Catch All. Only remove a specific range if it is known that range is being used by an external entity and is not considered part of
the customer network. What should be added to the Catch All group is all the customer’s public IP address space. There are
several alarms in the product that deal with data leaving Inside Hosts (customer network) and being sent to Outside Hosts
(everything besides the customer network). If the customer’s public IP space is not correctly classified, there may be an increase in
alarms due to normal network traffic communicating with their public IP space. Additionally, it should be classified correctly to
assist with future investigations and reporting purposes.

1. Return to the Security Insight Dashboard web page in the Manager web interface on WKST1 or open the web interface
by clicking the SMC bookmark bar entry in the Chrome web browser.

2. Click the Configure menu and select Host Group Management.

3. Expand the Inside Hosts object and select the Catch All host group

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 119 of 257
Cisco dCloud

4. With the Catch All group selected, click the Edit button.

5. The customer has stated that their public and internal IP address space in addition to tradition RFC1918 IP space can be
summarized as 209.182.184.0/24, 198.19.10.0/24, 198.19.20.0/24, and 198.19.30.0/24. You will now input this additional
IP range information into the Catch All group.

6. In the IP Addresses and Ranges section of the Host Group Management window, use the Enter key to create a new
blank line at the end of the current list.

a. Add the following 4 IP Ranges to the Catch All Host Group:

209.182.184.0/24

198.19.10.0/24

198.19.20.0/24

198.19.30.0/24

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 120 of 257
Cisco dCloud

7. Click Save

8. You have now classified the customer’s internal and public address space within SNA as part of their Inside Hosts.
Proceed with the next step in the lab and leave the current window open.

Configure Additional Host Groups

Your customer has provided additional IP data for host classification. You will now configure additional host groups on the
Manager.

1. In the Host Group Management screen, click in the Filter by Host Group Name space, type DNS, and hit the Enter key
to filter the results.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 121 of 257
Cisco dCloud

2. Select the DNS Servers host group and click the Edit button.

3. In the IP Addresses and Ranges section of the Host Group Management window, add the following IP addresses to
the host group and click Save.

10.10.30.15

10.10.30.16

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 122 of 257
Cisco dCloud

4. Navigate the host group tree to find the Network Scanners host group.

5. Select the Network Scanners host group and click the Edit button.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 123 of 257
Cisco dCloud

6. In the IP Addresses and Ranges section of the Host Group Management window, add the IP address 10.203.0.207 to
the host group and click Save.

NOTE: The Network Scanners host group is referenced by policies to automatically silence several types of alarms that
would normally be triggered by hosts performing network scanning activities. By placing the customer’s authorized
vulnerability scanner IP address in the Network Scanners host group, you are silencing several alarms for valid behavior
that would otherwise gone active. This also helps classify the hosts on the customer network as more of their IP space is
assigned to applicable host groups.

7. Again, using the Filter by Host Group Name field, locate the NTP Servers Host Group. Then click the NTP Servers object
to see that it is not yet configured with any IP addresses.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 124 of 257
Cisco dCloud

8. Click the Edit button in the upper right-hand corner to activate the form. In the IP Addresses and Ranges text box, enter
10.10.30.10. Click Save when done.

9. Locate the Mail Servers host group, click Edit, and add the IP address 10.10.30.23. Click Save when completed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 125 of 257
Cisco dCloud

10. You will now add in a location based host group which should be nested under the By Location host group in the Inside
Hosts section of the enterprise tree.

11. Locate the By Location host group in the tree (use Search if desired).

12. Select the By Location object, then click the Action icon to the right (three dots). Select Add Host Group from the
menu that appears.

13. In the New Host Group form that appears in the right-hand pane, enter Atlanta as the name of the new host group and
enter 10.201.0.0/16 in the IP Addresses and Ranges field. Click Save when done.

14. You will notice the new Host Group appears in your tree nested beneath By Location.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 126 of 257
Cisco dCloud

15. You will now classify the IP range of the customer IT Department

16. Click the Action Icon to the right of By Function, then click Add Host Group

17. Set the Host Group Name to IT, and the IP Addresses and Ranges to 198.19.30.0/24, then click Save

18. You will now classify the IP range of your customer’s IT Servers. Click the Action Icon to the right of Servers nested
below By Function, then click Add Host Group.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 127 of 257
Cisco dCloud

19. Set the Host Group Name to IT Servers, and the IP Addresses and Ranges to 198.19.20.0/24, then click Save

20. You will now classify the IP range of the Employee VPN Pools. Type VPN and press Enter in the search field.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 128 of 257
Cisco dCloud

21. Click the Employee VPN object then click the Edit button and enter the following IP Ranges:

198.19.10.100-103

198.19.10.200-203

22. Click Save

23. On your own, utilize the previous steps to create another host group named PCI Devices which should be nested under
the By Function host group. Input the IP range specified by the customer from the previous table (10.201.3.0/24). Click
Save when the configuration is completed.

24. You have successfully configured the host groups as specified by your customer. You may close all Chrome windows on
the WKST1 system.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 129 of 257
Cisco dCloud

Scenario Summary
In this scenario, you have created host groups based on the IP address data the customer has provided to you. You have utilized
Host Group Management in the web client interface to add in the customer’s public IP space to the Catch All group to mark it as
being inside the customer’s control and you have created additional appropriate host groups.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 130 of 257
Cisco dCloud

Scenario 7. Cisco Router NetFlow Configuration and Validation

Your customer would like you to configure NetFlow on an internal router. They have asked you to deploy the configuration
according to best practices.

Router NetFlow Configuration

You will now configure a Cisco router to work with our SNA Solution. You will be configuring a Cisco Cloud Services Router
running IOS-XE 16.6.4 code (CSR in your dCloud topology). Throughout the lab we will configure NetFlow and SNMP.

1. Return to the desktop of your WKST1 system and click the PuTTY link.

2. Click the saved session named CSR and then click Open.

3. For the login as: prompt, enter admin and press enter

4. For the Password: prompt, enter C1sco12345 and press enter

5. You should see a CSR# prompt if successfully authenticated via SSH.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 131 of 257
Cisco dCloud

6. We will first configure the Flow Record by typing the following commands one by one and pressing enter at the end of
each line:

configure terminal

flow record FLOW_RECORD

description NetFlow record for SNA

match ipv4 tos

match ipv4 source address

match ipv4 destination address

match transport destination-port

match transport source-port

match interface input

match ipv4 protocol

collect interface output

collect transport tcp flags

collect ipv4 ttl minimum

collect ipv4 ttl maximum

collect counter bytes

collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

collect ipv4 dscp

exit

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 132 of 257
Cisco dCloud

7. You will now configure the Flow Exporter by typing the following commands one by one and pressing enter at the end of
each line:

flow exporter FLOW_EXPORTER

description Export NetFlow to SNA

destination 198.19.20.139

transport udp 2055

template data timeout 30

option interface-table

exit

8. We will now configure the Flow Monitor by typing the following commands one by one and pressing enter at the end of
each line:

flow monitor FLOW_MONITOR

record FLOW_RECORD

exporter FLOW_EXPORTER

cache timeout active 60

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 133 of 257
Cisco dCloud

cache timeout inactive 15

exit

9. Let’s now look at our interfaces on the CSR routing platform by typing the following command (if your prompt does not
show “CSR(config)” then type “config t” to be able to type configuration commands):

do show ip interface brief

a. Notice that the GigabitEthernet2 interface is in the same IP space as our appliances, the GigabitEthernet1
interface is in the same IP space as our ASAv and is in the direction of the Internet, while the GigabitEthernet3
interface is in the same IP space as WKST1.

10. Let’s now assign our Flow Monitor to all interfaces by typing the following commands one by one and pressing enter at
the end of each line:

interface range gig1-3

ip flow monitor FLOW_MONITOR input

end

write memory

11. You should now be back at the CSR# prompt.

12. NetFlow is now enabled on this device and should be sending information to the Cisco Telemetry Broker as expected.

13. Type show flow exporter and press enter. You should see the following information displayed. Make note of the
Source IP address as this is how the exporter will identify itself within SNA. Note: your source ports may be different than
that shown in this example due to OSI layer 4 characteristics.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 134 of 257
Cisco dCloud

14. You can also check to see if there is already flow in the local CSR cache.

a. Type show flow monitor FLOW_MONITOR cache format table and press Enter (You may choose to make
your putty window larger and re-enter this command due to the column wrap that occurs.)

b. If you are not at a CSR# prompt and instead see –more--, just press Q to return to the prompt.

c. You should see a CSR# prompt at this time

15. Finally, let’s enable SNMP Read-only access by typing the following commands one by one and pressing enter at the end
of each line:

configure terminal

snmp-server community SupaSecretV2 RO

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 135 of 257
Cisco dCloud

end

write memory

16. Close the Putty window.

17. You can now continue with the next portion of the lab where we will validate the NetFlow records are being received.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 136 of 257
Cisco dCloud

Router NetFlow Validation

Now that NetFlow is configured on the CSR router in the customer environment, we can validate its functionality.

1. We will first generate some connections from WKST1 which is located on the other side of the CSR from our remaining
lab systems. These connections should cause the CSR to create associated NetFlow Records and forward them to the
UDP Director, which will in turn forward them to the Flow Collector.

2. Open the Chrome web browser using the shortcut located on the desktop of WKST1.

3. Access the Manager web interface by selecting the SMC (WebUI) bookmark in Chrome.

4. Log in to the appliance using credentials below.

a. User Name: admin

b. Password: C1sco12345

5. Click the Analyze menu and select Flow Search.

6. Click on Advanced Connection Options to expand it.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 137 of 257
Cisco dCloud

7. Scroll down until the section Exporters & Interfaces is shown and click the Select button.

8. Expand the fcnf object, select the 198.19.20.1 exporter, and click Apply.

9. You have configured the Flow Search to only show flows that come from the CSR device. Scroll up to the top of the
window and verify your filter appears as below and proceed.

10. Click the Search button in the top right corner of the page.

11. Verify that flow records are being returned in the search results. Seeing flow records as shown below means that the
exporter is sending valid flow data to the Flow Collector and the Flow Collector is able to process the data. If no results
were shown then additional troubleshooting to determine the root cause would be required. If you see flow records
returned in your search, continue with the rest of the lab. If you do not see flow records returned, verify your search filter is

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 138 of 257
Cisco dCloud

correct, wait another 1-2 minutes and try again, verify your Telemetry Broker rules are correct, and finally verify the
configuration of the CSR exporter before proceeding.

Scenario Summary
In this scenario, you configured and validated NetFlow on a Cisco IOS router. You may proceed with the next lab.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 139 of 257
Cisco dCloud

Scenario 8. Cisco Router ETA Configuration and Validation

Your customer has heard about the capability to include ETA flow fields within reported data for cryptographic compliance as well
as detecting malicious encrypted flows in the network. They have asked you to both configure ETA on a network device as well as
configure any reporting mechanisms that are available.

ETA Router Configuration

We will now configure Encrypted Traffic Analytics (ETA) on our router in the lab. You will be configuring a Cisco Cloud Services
Router running IOS-XE 16.6.4 code (CSR in your dCloud topology).

1. Return to the desktop of your WKST1 system via the remote control session and click the Putty link.

2. Click on the saved session named CSR, then click Open.

a. For the login as: prompt, enter admin and press enter.

b. For the Password: prompt, enter C1sco12345 and press enter.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 140 of 257
Cisco dCloud

3. You should see a CSR# prompt if successfully authenticated via SSH.

4. You will first configure the Flow Record by typing the following commands one by one and pressing enter at the end of
each line:

configure terminal

et-analytics

ip flow-export destination 198.19.20.139 2055

inactive-timeout 15

interface range gig1-3

et-analytics enable

end

write memory

1. Open a new tab in Chrome and navigate to https://www.cisco.com. Let this page load then proceed.

2. Open a new tab on the Chrome browser and perform the following actions to generate flow data. After accessing the page
for each item below, continue.

a. Search for “What is my ip”

b. Search YouTube for “fireplace video” and then play the video for approximately 2 minutes

3. Close all open Chrome browsers to stop all the HTTPS sessions.

4. Open a Chrome browser on WKST1, navigate to the Manager system via the SMC (WebUI) bookmark.

5. Open another Chrome web browser, or an additional tab within Chrome.

a. If not already connected to the SMC Web UI, Access the SMC web interface by selecting the Appliances
bookmark folder in Chrome and then selecting the SMC (Web UI) bookmark

b. If prompted for authentication, use:

i. Username: admin

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 141 of 257
Cisco dCloud

ii. Password: C1sco12345

6. Select Analyze > Flow Search.

7. Set the following Flow Search Parameters:

a. Time Range = Last Half Hour

b. Subject Host IP Address = 198.19.30.36 (press enter after typing in this field)

c. Connection Applications (press the Select button) = HTTPS and HTTPS(unclassified)

d. Click Search

8. In order to better see our results, we will modify the columns that are displayed in the report. Click Manage Columns.

9. Modify the following selections from the Flow Table Columns filter:

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 142 of 257
Cisco dCloud

a. Connection Tab:

i. Uncheck Duration

ii. Check all 5 entries that start with Encryption

iii. Uncheck Total Bytes

b. Subject Tab:

i. Uncheck Subject Bytes

ii. Uncheck Subject Host Groups

iii. Uncheck Subject Port/Protocol

c. Peer Tab:

i. Uncheck Peer Bytes

ii. Uncheck Peer Host Groups

iii. Uncheck Peer Port/Protocol

d. Click Set.

10. Scroll through the results. Notice we have Flow Records complete with Encryption Field data where available.

11. In order for us to reset the filter for future lab activities, click Manage Columns.

a. Click Restore Defaults, and then click Set.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 143 of 257
Cisco dCloud

12. You have now completed configuration and validation of NetFlow and ETA on a Cisco IOS-XE Router. Close all open
windows and applications on WKST1.

a. It should be noted that the SNA FlowSensor appliance also supports ETA export as well. We configured this
capability in an earlier lab scenario when we finalized the FlowSensor configuration.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 144 of 257
Cisco dCloud

Viewing and Filtering ETA in SNA

Our customer has asked us to help get them started with some customization surrounding reporting around their PCI requirements.
They have a few specific needs that will require SNA to constantly look at incoming flow data for matching conditions, as well as
some custom reporting needs. Let’s get started so our customer can begin to benefit from the solution right away. Your customer
has requested you build a report that will allow them to ensure they are compliant with recent changes to PCI/DSS standards. In
this case, they need to be certain they are not using SSL TLS 1.0 within their environment on any PCI Devices since this is a new
requirement.

1. Ensure you are logged into the SMC via Chrome and login as admin \ C1sco12345 if necessary.

2. The first issue our audit team would like us to investigate is that we ensure we are ready for the new PCI/DSS
requirement regarding SSL TLS version. We are required to run SSL TLS 1.1 or higher (with TLS 1.2 recommended).
Let’s ensure our PCI systems are not running TLS 1.0.

3. From within the Web Interface, Select Analyze, then Flow Search.

4. Set the Search Type to Flow.

5. Set the Time Range to Last 8 Hours.

6. Set the Search Name to PCI TLS 1.0 Investigation.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 145 of 257
Cisco dCloud

7. Set the Max Records Returned to 10,000.

8. Click the Subject Host Groups Select button. Set the Subject Host Group to Inside Hosts and then click Apply.

9. Click the Connection Applications Select button. Select both HTTPS and HTTPS(unclassified), and then click Apply.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 146 of 257
Cisco dCloud

10. Click Search in the top-right corner of the Flow Search form. It will take a few minutes to run the report and provide data.
Wait until the report is 100% complete. (It will present partial data findings prior to being at 100%)

11. Click Manage Columns. It may take a few seconds for the pop-up to display.

12. Click Deselect all at the bottom of the pop-up window. This will remove all fields from all tabs.

13. Select ONLY the following columns:

a. Connection Tab: Select Start, Duration, Application, and All 5 of the Encryption … options

b. Subject Tab: Select Subject Host Groups, Subject IP Address, and Subject Orientation.

c. Peer Tab: Select Peer Host Groups, Peer IP Address, and Peer Port/Protocol

14. Click Set when only the above columns are selected

15. You now have the required columns displayed and can proceed by filtering the results.

16. Locate the Encryption TLS/SSL Version field.

a. NOTE 1: Depending on your display size, the fields may run off the page to the right. You may need to scroll to
the bottom of the window, located the left-right slider bar, and scroll to the right of the page, then scroll back up
to the top of the page to locate the filter fields.

b. NOTE 2: Depending on your display size, this field name may be truncated. Look for Encryption… with a filter
below it that says Ex. 1.0.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 147 of 257
Cisco dCloud

17. Type 1.0 in this filter field.

a. If any flows are using TLS 1.0 they will be presented here.

b. There may not be any old ciphers in use so there may not be any results currently.

18. Change the Encryption TLS/SSL Version field value to 1.2

19. You should now see several flows using TLS version 1.2

20. If you wanted to review this information later, you can Export the current table to a csv file, or you can also Save the
search, or even Save the Results. Do not perform either task at this time.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 148 of 257
Cisco dCloud

Using the SNA ETA Cryptographic Audit App

In an earlier scenario, we installed a SNA App that specifically deals with ETA-based cryptographic data. We will look at the
information provided via this App at this time.

1. Click Dashboards, then select ETA Cryptographic Audit from the menu.

2. Set the following fields:

a. Start Date Time: Set this to the day prior to your lab start-up

b. End Date Time: Set this to tomorrow’s date

3. Under Subject Host Groups click Select, then click both Inside Hosts, Outside Hosts, and then click Apply.

4. Change the Orientation to Client.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 149 of 257
Cisco dCloud

5. Under Peer Host Groups, click Select

6. Choose both Inside Hosts and Outside Hosts. Click Apply.

7. Click Search

8. Look at the Results once presented.

a. From here we can View Flows associated with each entry, download data as a CSV file, and even generate a
report. Do not take any of these actions at this time.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 150 of 257
Cisco dCloud

Scenario Summary
In this scenario, you enabled ETA flow on a CSR network device and created a web-based search that can help the customer
ensure compliance with PCI standards by using Cisco’s ETA data embedded in flows from supported network devices. You also
viewed ETA data in the SNA App dedicated to this purpose.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 151 of 257
Cisco dCloud

Scenario 9. Custom Security Events

Once flow data is being properly classified within the customer environment, you can begin further customization and reporting.
There are many built-in documents/reports within the product, and in most cases, you can use those to accomplish your
customer’s goals. Occasionally however, you will need to customize the solution.

Your customer has asked you to help get them started with some customization surrounding their PCI environment and general
internet usage. They have a few specific needs that will require SNA to constantly look at incoming flow data for matching
conditions, as well as some custom reporting needs. Let’s get started so our customer can begin to benefit from the solution right
away.

Create Custom Security Events

Your customer is subject to certain PCI regulations regarding devices that process financial transactions. The customer wants to
ensure that these devices are not communicating with unauthorized hosts on the Internet and if unauthorized traffic does occur
then they wish to be notified. You will now create a host group to contain authorized external IP addresses and then create a
Custom Security Event to trigger on unauthorized network traffic while exempting traffic from the authorized host group.

1. Access the Manager by selecting the SMC (Web UI) bookmark in Chrome on WKST1.

2. Once in the SMC Web Interface, click Configure > Host Group Management.

3. Type Trusted in the Filter by Host Group Name field, and then press Enter.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 152 of 257
Cisco dCloud

4. Select the Action icon associated with Trusted Internet Hosts, and then select Add Host Group from the menu.

5. Configure the host group using the following values:

a. Name: Authorized Outside PCI Hosts

b. Ranges: 206.128.157.0/24

6. Click Save

7. Click the Configure menu, and then select the Policy Management menu item.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 153 of 257
Cisco dCloud

8. The Custom Events tab is already active by default. Click Create New Policy > Custom Security Event.

9. You will now configure the Custom Security Event based on the following values:

a. Name: Unauthorized PCI Traffic

b. Description: Alerts on network traffic between PCI hosts and Outside hosts not in the Authorized PCI
group

10. In the Find pane of the window,click the + button to add a new rule to this Custom Security Event.

11. Select Subject Host Groups from the list.

12. Type PCI in the Search field and then press Enter.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 154 of 257
Cisco dCloud

13. Click the circle icon in front of the PCI Devices host group. You should see a checkmark appear.

14. Click Apply.

15. You should now see the following configuration. Press the + button again to continue configuring rule parameters.

16. Select Peer Host Groups from the list.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 155 of 257
Cisco dCloud

17. Click the circle icon in front of the Outside Hosts host group. You should see a checkmark appear. DO NOT CLICK
APPLY YET.

18. Type Authorized in the Search field and then press Enter.

19. Click the circle in front of Authorized Outside PCI Hosts 2 times until you see an X icon appear. You are now set to
Include Outside Hosts but Exclude Authorized Outside PCI Hosts for Peer matching.

20. Click Apply.

21. You should now see the following configuration.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 156 of 257
Cisco dCloud

22. Click Save.

23. You should see the new rule in the list.

24. Enable this rule. After reviewing the rule, click the toggle button in the Status column to switch from Off to On.

25. Use the previous steps and methodology to create an additional Custom Security Event to trigger:

a. If an Outside Host (with the exception of Trusted Internet Hosts) acts as a client, and communicates with an
Inside Host over Remote Desktop, SSH, or Telnet.

b. HINT: Take advantage of the Subject and Peer Host Groups, Peer Application, and Subject Orientation fields in
the rule to accomplish the desired result.

26. You have now successfully completed the creation of your customer’s Custom Security Events. They will now be notified
about these specific behaviors in the network that violates their written IT security policy. Proceed to the next lab step.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 157 of 257
Cisco dCloud

Scenario Summary
In this scenario, you created custom security events to highlight network traffic that violated the customer’s IT Security policy
regarding PCI transactions. These CSE’s will now generate alarms if triggered and the customer can be notified through Response
Management emails or syslog.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 158 of 257
Cisco dCloud

Scenario 10. Verify Flow Data and Exporters

Now that you have successfully configured all SNA appliances, it is time to verify that SNA is properly processing flow data from
the pre-existing customer networking environment. You will utilize reports in the Manager web interface to verify the FC is seeing
NetFlow data from the customer exporter devices. You will also look at the data from specific exporters to determine if it is
formatted optimally for SNA.

Exporter Health
It is important to verify that all in-scope network devices that should be sending flow data to SNA show up as an Exporter in the
SMC interface. If a network device that is on the customer inventory does not appear in SNA, you may not have visibility into that
aspect of the customer network. This could be due to the device not being configured to send NetFlow data or something blocking
the NetFlow traffic to SNA.

Additionally, for devices that do show up in the Manager, it is important to verify that the flow data being sent appears optimized for
SNA. You will verify that the exporters (routers, switches, firewalls, etc.) sending NetFlow data to the Flow Collector (by way of the
Cisco Telemetry Broker in this instance) appear to have an optimal NetFlow configuration.

The customer has provided you with a list of network devices that are in-scope for the SNA project that should be sending flow
data.

• 172.16.16.1

• 172.16.16.2

• 172.16.16.3

• 172.16.16.4

• 172.16.16.50

• 172.16.16.100

• 172.16.16.200

• 198.18.128.138 and 198.19.20.138 (FlowSensors)

1. Access the Manager by selecting the SMC (Web UI) bookmark in Chrome on WKST1.

2. Once in the SMC Web Interface, click Dashboards > Report Builder.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 159 of 257
Cisco dCloud

3. Click Create New Report.

4. Scroll down and select Flow Collection Trend by Flow Collector.

5. Click Run

6. The Flow Collection Trend by Flow Collector report appears.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 160 of 257
Cisco dCloud

NOTE: The Flow Collection Trend report how many Flows Per Second (FPS) over time are being processed by this FC. If the
environment should be receiving thousands of flows per second but only ~500 or so are being processed that could indicate a
large configuration issue on the customer exporters, UDPD, or Telemetry Broker. If there are more flows being processed than the
appliance is rated to process, then that could show a performance issue. Monitoring the Flow Collection Trend can be important for
many reasons. Each Flow Collector model is rated to handle a certain amount of FPS before degrading performance. You should
verify, especially during the initial installation, that each FC is not overloaded

7. Save the report by clicking the Save button in the top right of the page.

8. Enter the following values in the Save Report window and click Save.

a. Report Name: Flow Collection Trend

b. Description: Trend of NetFlow processed by Flow Collector

10. Click Create New Report.

11. Scroll down and select Flow Collection Status.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 161 of 257
Cisco dCloud

12. Click Run

13. The Flow Collection Status report appears

NOTE: The Flow Collection Status report provides data about the Exporters and the NetFlow data being processed from each
exporter sending to this FC

14. Save the report by clicking the Save button in the top right of the page.

15. Enter the following values in the Save Report window and click Save.

c. Report Name: Flow Collection Status

d. Description: Status of NetFlow Exporters

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 162 of 257
Cisco dCloud

16. You will now review a few columns within this report:

e. The Exporter column displays the IP address of the devices the FC is receiving NetFlow data from. If the
Manager is able to locate a reverse lookup (PTR) record in DNS a DNS name may be shown there as well. You
should verify that all in-scope network devices appear in this list. Devices that are in-scope but do not appear
here are not having their NetFlow data processed and should be investigated as to why they do not appear.

f. The Current Flow Rate column shows the current amount of FPS (Flows Per Second) the exporter is sending to
the FC as of the last time the document was refreshed (by default every 5 minutes). If this value is blank, or a
very low number, the device may not be configured to export data from all in-scope interfaces on the devices.

g. The Last Export column shows the last time and date that a flow record was received from the exporter. In most
environments this should be up to the current minute as the device should be configured to send flow data every
minute as long as there are active flows being processed. Some devices may be installed in a part of the
network that has very low traffic levels or a redundant network link that only activates during certain time frames.
However, normally if the timestamp on this field is not current then there could be an issue with receiving data
from the exporter.

h. The Exporter Type column details how the FC recognizes the device sending the flow data. Most routers and
switches are shown as Exporter while certain devices will be recognized specifically such as Cisco ASA and
the Flow Sensor appliance. If the field is blank or shows Unknown Exporter the FC may not be able to properly
understand the flow records being exported from the device.

i. The Flow Type column details the version of NetFlow being generated by the exporter.

j. The Longest Duration Export column displays the total length of time, in seconds, that the flow with the longest
duration was active (from the first packet to the last packet). In practice, this field can indicate whether an
exporter has its “Active Timeout” value set correctly in its NetFlow export configuration. The Active Timeout value
should be set to 60 seconds for all exporters and the value shown in the Longest Duration Export column should
match approximately to 60 seconds. Values of hundreds or thousands of seconds should be investigated to
verify that the device’s Active Timeout value is set correctly.

k. The SNMP Status column displays whether the Manager can successfully poll the exporter via SNMP to gather
additional interface data. If the Manager is unable to communicate with the exporter an error will be shown.
These errors should be investigated in the customer environment to determine if the issue is that the wrong
SNMP community string is being used for the exporter or if a firewall rule or ACL is preventing the network traffic
from the Manager to the exporter device.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 163 of 257
Cisco dCloud

17. Based on the data available, it is time to assess the status of the exporters in the customer environment. Determine the
answers to the following questions:

l. Do any exporters show up as an unknown exporter?

i. Likely bad NetFlow template configuration on the exporter

m. Do any exporters have an unknown or blank Flow Type field?

i. Likely bad NetFlow template configuration on the exporter

n. Do any exporters have a value for Last Export that is not a current timestamp?

i. Possibly a previously valid exporter that is now blocked by the network or offline. Additionally, this could
relate to incorrectly configured export timers on the device.

o. Do any exporters (besides Flow Sensors) have a value for Longest Duration Flow significantly over 60 seconds?

i. This is very likely an incorrectly configured Active Timer on the exporter. This should be set to 1 minute
(60 seconds).

p. Do any exporters show an error in the SNMP Status field? (FS will show NA as it is not queried by the SMC via
SNMP)

i. Either the SMC cannot reach the exporter (FW, ACL, etc), or the SNMP configuration for this device is
incorrect on the SMC. No resulting action is required in this lab.

18. Are there any exporters on the in-scope exporter list for the project that do not appear in the exporter list on the FC?

NOTE: The Flow Sensor appliance will appear as an exporter in the Flow Collection Status section, but one does not have to apply
the same criteria as to whether it is properly working as other exporters. Specifically, the Longest Duration Flow and SNMP Status
can be disregarded.

It is important to identify potential issues with exporters early in a deployment as it may take an extended period of time for the
customer to make changes to the configuration of the network devices in order to correct the issue.

In this simulated environment, there are no action items for the FE to correct on the exporters. If this were a customer environment
the FE should export the list of exporters to a CSV file and make a list for the customer of the devices that should be investigated
and for which reason.

19. There is a missing exporter! Exporter 172.16.16.4 is not appearing in the FC. You will now troubleshoot the potential
issues with this exporter device.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 164 of 257
Cisco dCloud

Verify NetFlow Traffic to the Flow Collector

Exporter 172.16.16.4 is not appearing in the Flow Collector Dashboard document as a source of flow data. You must troubleshoot
what the root cause of this issue is. You will run a packet capture on the FC appliance to determine if the NetFlow traffic from the
exporter is reaching the FC and not being processed correctly or if the traffic not arriving at all. Remember, in our environment, the
flow records are created by the Exporter, are then sent to the UDP Director, that in turn forwards them based on rules to our FC.
We will begin our troubleshooting process by working backwards from the FC towards the exporter.

1. Open Chrome and log in to the FC administrative interface by selecting the FCNF bookmark from the Appliances
bookmark folder in Chrome.

a. Use the username of admin and the password of C1sco12345 when prompted for authentication.

2. Click the Support menu and select the Packet Capture menu option.

3. You will now perform a packet capture for 5 minutes for the IP address of the first exporter that is not appearing in the FC.
Use the following values to configure the packet capture settings (continues on next page):

a. Name: Exporter1

b. Interface: eth0

c. Host IP Address: 172.16.16.4

d. Port: Any

e. Duration: 300

f. Packets: 5000

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 165 of 257
Cisco dCloud

4. Click the Start button on the packet capture page to begin the packet capture.

5. Your packet capture is now displayed in the Captures section of the page.

6. Watch the Size(bytes) column. It seems to be remaining at 0 bytes, meaning the capture is not collecting data based on
our current filter. After 60 seconds (Duration column), you decide it has been long enough and can click the Stop
Capture button.

a. NOTE: We recommend in production that you capture for more time as it is possible that a misconfigured
exporter can take longer to transmit traffic.

7. Notice after stopping the capture, the size changes to 24 bytes. This is the base formatting of the pcap file, but just to
verify, you will open it.

8. The capture Name field will become a link that allows you to download the capture file to review in a packet analyzer.
Click the Exporter1 link, then click Save

9. The Chrome browser will download the file and show the download link in the lower left corner of the browser window.
Click the Exporter1.pcap file to open it in the locally installed Wireshark application.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 166 of 257
Cisco dCloud

10. Wireshark opens and displays a blank screen. It appears that there were no packets captured based on the capture
settings you specified. The FC has not received any data at all from the 172.16.16.4 exporter. Close Wireshark.

NOTE: Do not upgrade Wireshark if prompted, it is not necessary for the labs.

NOTE: If the size of the packet capture listed in the Captures section is 24 bytes then it is safe to assume there has been no data
captured.

11. Just to be safe, let’s verify that you are able to successfully capture any NetFlow traffic via packet capture by performing a
packet capture on the FC using the following settings:

a. Name: AllNetFlow

b. Interface: eth0

c. Host IP Address: (leave this field blank)

d. Port: netflow (2055)

e. Duration (seconds): 300

f. Packets: 5000

NOTE: When dealing with NetFlow packet captures, it is sometimes necessary to have the packet capture duration be over a long
period of time in order to capture the Flow Template packet for flexible NetFlow v9/IPFIX. With NetFlow v9 or IPFIX, the fields
within the NetFlow record can be customized. In order for a solution like SNA to be able to understand what the different fields
inside the flow record are, a Flow Template that maps the fields must be sent along every X amount of packets. Depending on the
configuration of the exporter, it may take quite a while to receive the index packet (over 30 minutes). If you are capturing NetFlow
records and are not able to drill down into the flow records themselves, you most likely have not run the capture long enough. You
may have to use the command line tcpdump if you need to capture more than 100,000 packets. Be cautious on the hard disk
space used by packet captures when using the console commands. Always remove the packet capture file once it has been
transferred off the appliance for review if using command line tcpdump. The packet captures performed in the web administration
interface are less likely to become too large due to the packet limitations imposed.

12. This capture will likely end prior to 300 seconds due to the alternative packet maximum (5,000) that was also set on the
capture configuration.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 167 of 257
Cisco dCloud

13. Once the capture ends and the link becomes available, click on AllNetFlow and then Save the file.

14. Click on the AllNetFlow.pcap file link in Chrome to open it in Wireshark.

15. Notice that the packet analyzer is able to understand the NetFlow packets and allows you to drill down into the flow
records themselves.

16. Maximize the Wireshark application.

17. Select a packet at the top of the Wireshark page that is listed as CFLOW in the Protocol column.

18. In the middle pane, Expand Cisco NetFlow/IPFIX by clicking the associated >, then Expand FlowSet 1, then expand
each flow (Flow #) you care to investigate.

a. Notice that you can leverage this capture to see if all necessary fields are being sent along to the SNA system or
if the exporter configuration needs to be corrected.

b. This is a great way to identify exporter configuration template issues without having to get access to the router or
other device console.

NOTE: This can be very useful for troubleshooting NetFlow. Notice that one NetFlow packet can contain many individual flow
records. You are also able to see the specific fields being sent via the exporter and the version of NetFlow. If there is ever a
question about the FC processing flow data correctly, you may be required to perform a packet capture to verify the source flow
data is formatted correctly.

19. We have now validated that this FC is seeing Flow data, but after continuing to investigate the capture file (feel free to
click on the Source column in Wireshark to sort the exporter by IP address), you notice that we DO NOT see any

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 168 of 257
Cisco dCloud

UDP/2055 traffic from 172.16.16.4. This should be notated for your customer and brought to their attention that an in-
scope exporter is not sending any data.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 169 of 257
Cisco dCloud

Next Steps in the Customer Environment

You have verified that the 172.16.16.4 exporter’s NetFlow traffic is not reaching the FC appliance. There could be several potential
issues, including:

• Issue: NetFlow traffic not reaching the Cisco Telemetry Broker at all

o Possible Cause: Exporter improperly configured

 Resolution: Ensure that a Flow Sensor in the customer environment is seeing the inbound NetFlow
traffic to the Telemetry Broker to gain visibility on if the exporter is sending the expected data at all.

o Possible Cause: ACL or firewall rule is blocking NetFlow traffic.

 Resolution: Produce packet capture showing no NetFlow traffic from exporter in question and request
customer network engineer staff trace network path and determine where the traffic is being blocked

• Issue: NetFlow traffic is reaching the Telemetry Broker but is not reaching the FC

o Possible Cause: Exporter improperly configured or sending NetFlow to a port that does not match a rule in the
configuration therefore, the Telemetry Broker is not forwarding the traffic to the FC

 Resolution: Perform a packet capture for all traffic from the exporter in question. Determine if NetFlow is
being sent on an alternative port that does not match the rules defined (default NetFlow port is 2055). If
this is the case, then either create an additional rule in the Telemetry Broker configuration to forward the
traffic from the different port to 2055 on the FC or have the customer network team address the
configuration of the exporter.

• Issue: NetFlow is reaching the FC but is not appearing in the product for reporting purposes

o Possible Cause: NetFlow configuration on exporter is misconfigured to the point that the FC cannot understand
the NetFlow records even though the network traffic is reaching the FC. Most likely this is due to customer using
NetFlow v9 or IPFIX with incorrect template settings.

o Resolution: Work with customer to investigate NetFlow configuration on exporter device.

Scenario Summary
In this scenario, you have verified that the flow data coming into SNA is valid, identified any potential issues with the NetFlow
records, verified all in-scope exporters are sending flow data, and identified any devices not reporting to the customer.

NOTE: It is important to verify flow data as soon as possible in a deployment. NetFlow exporter issues are not commonly resolved
quickly by the customer, so identifying any problems early is important.

End of Day 1 Content

This concludes the Day 1 lab scenario content. If you are continuing into the Day 2 content during the same session, you may
close all open windows and proceed.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 170 of 257
Cisco dCloud

Scenario 11. Classification of Customer Environment

Customers do not always have completely accurate data available about the hosts and IP addresses on their network. You will find
that in some cases, the customer has no data available to them, or the data they provide you is not complete, or even inaccurate.
This can complicate your task of classifying the customer network into Host Groups.

You can use SNA to assist with host classification by searching for hosts generating certain types of network activity, verifying with
the customer the hosts are authorized for that activity, and then classifying them within SNA by editing existing host groups or
creating new host groups with the appropriate IP addresses or ranges.

Your customer previously provided you a small amount of IP classification data to input into SNA. You will now look for additional
server types and behavior to identify IP addresses that can be classified after customer verification.

Classify Public IP Space

Very few times will a customer have a complete list of all the public IP space they own, manage, or utilize. It is important that this
be classified correctly so that the customer IP space be considered an Inside Host vs. an Outside hosts. Your customer has
already given you the public IP range in use for their environment. You will now use SNA to verify that there are no additional
Public IP’s or networks that need to be added to the Catch All Host Group.

One way to identify customer owned public IP space is to look for flows where both the source and destination is an Outside Host.
If both hosts were truly outside the customer network, then SNA should not have a record of the flow data containing the network
transaction. Therefore, at least one IP address in the flow is likely to be managed by the customer. Running a Top Conversations
document filtered on ‘Outside Hosts to Outside Hosts’ traffic will help highlight potential IP addresses that can be classified as
customer owned.

1. If not already connected to the Manager Web UI, Access the Manager web interface by selecting the Appliances
bookmark folder in Chrome and then selecting the SMC (Web UI) bookmark

a. If prompted for authentication, use:

i. Username: admin

ii. Password: C1sco12345

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 171 of 257
Cisco dCloud

2. Click the Analyze menu and select Flow Search.

3. In the Search Type field, click Top Conversations

4. For both Subject and Peer, set the Host Groups as Outside Hosts. You will need to click on Select then location
Outside Hosts in each case.

5. For the Time Range, select Last Hour

6. Click Search

7. In the example results below, it appears that IP addresses in the 209.182.185.0/24 range shows up several times in the
list (either the Host or Peer columns). This is a good indicator that the addresses in the 209.182.185.0 network may be
part of the customer owned network.

NOTE: It may be necessary to use tools outside of SNA to gather additional information about the public IP addresses you are
researching. This could include sites that provide WHOIS, DNS, or IANA registration data. SNA does have some of these tools
available as an External Lookup feature when right-clicking on a Public IP address and going to the External Lookup menu.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 172 of 257
Cisco dCloud

8. You have submitted your findings to your customer, and they have confirmed that they do in fact own the
209.182.185.0/24 IP ranges and they should be classified as an Inside Host as it is “inside their control.” You will now edit
the Catch All host group to add the ranges.

9. Navigate to Configure > Host Group Management

10. Locate and click on the Catch All host group nested beneath Inside Hosts. Once selected, click Edit.

11. Add in the new 209.182.185.0/24 network

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 173 of 257
Cisco dCloud

12. Click Save

13. You have successfully discovered public address space in use by the customer and correctly classified it. Proceed to the
next step in the lab.

NOTE: Host Group membership changes only affect new flows processed by the FC after the host group membership is edited. In
this case this means that IP addresses in the 209.182.185.0/24 range will only show as a member of Inside Hosts from this point
forward. If documents are run for time periods in the past before the host group edit was made, the IP addresses that were added
will still show as a member of Outside Hosts as that was for a time period before the change was made.

Correctly classifying the customer’s public IP space will help reduce alarms such as Suspect Data Loss, Suspect Long Flow, and
Beaconing Host that all deal with an Inside Host communicating with an Outside Host.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 174 of 257
Cisco dCloud

Classify Public IP Space – Alternate Search Method

While the previous query to locate potential External IP ranges owned by the customer was performed by adding the Outside
Hosts to both side of the connection (Subject and Peer), it could also be performed within the Web Client using the Connection
Direction option.

1. Select Analyze, and then Flow Search.

2. In the Search Type drop-down, select Top Conversations.

3. Select Last Hour for the Time Range.

4. Under Subject, click Select.

5. In the Host Group Selector click Outside Hosts, and then click Apply.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 175 of 257
Cisco dCloud

6. Click Connection > Direction, and select Within.

7. Do NOT set any Peer information for this search.

8. In the upper-right corner of the form, click Search.

9. It may take some time to run the query. You can watch the completion percentage as it updates. Please be patient, it may
stay at 0% for a bit in our lab environment.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 176 of 257
Cisco dCloud

a. When the results return, you will still see 209.182.185.0/24 addresses since these flows were from prior to our
Catch All Host Group modification. Remember, only new flows after changes are made are classified. Previous
flows are never reclassified.

10. Click Jobs > Job Management.

a. Here you can see the jobs that you currently have running. You can Delete jobs, as well as view the job results
when completed by clicking on the Job Name.

b. Some notes about jobs in the Web UI:

i. You can cancel jobs that are in progress or pending but you cannot restart a cancelled job.

ii. Completed and Canceled jobs only stay in this table for a limited amount of time. Flow Search results
with 10,000 or fewer records will be available for 24 hours. Flow Search results with 20,000 or more
results (can only be viewed via CSV download), are available for 7 days.

iii. Jobs in the Web UI use approximately 10,000 flow records per Flow Collector as the default even if
more are available in the period of time you specified in the filter. The maximum flows you can request
is 400,000.

iv. Flow searches with 10,000 records or less, as well as all top reports, run in a different queue than Flow
Searches with 20,000 or more records.

v. You can run a maximum of 4 jobs at the same time with 10,000 records or less each. You can only run
a single report with 20,000 or more records at a time.

11. Once the job completes, it will be listed in the Finished Jobs section of the page, click on its name to go back and view
the Top Conversations document.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 177 of 257
Cisco dCloud

12. When the results appear, you will see similar conversations to what we saw in our report previously (Different timeframe).
You would once again need to get confirmation from the customer of the likely owned IP addresses, then after
confirmation, place the correct IP addresses in the Catch All host group. Since we have already completed this task, there
is nothing additional to classify at this time.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 178 of 257
Cisco dCloud

Classify Network Scanners

Hosts on the network that perform port scanning can generate large amounts of alarms in SNA. There are often many hosts that
are benign and are performing normal activities based on their function as a vulnerability scanner, network inventory/management
system, or maybe even a poorly developed custom application. It is important to classify known allowed network scanners so that
the hosts that do show up as unknown network scanners generate actionable alarms.

Your customer has provided you with IP data for known network scanners in their network and you have made changes to the
Network Scanners host group to add that data to SNA. You will now check for hosts performing scanning activity to identify them
and then work with the customer to determine if any are authorized network scanners that should also be classified.

To accomplish this task, we will use the Visibility Assessment Dashboard in the Manager Web UI.

NOTE: Beginning with v7.1.x, the Visibility Assessment Dashboard is the recommended Web UI interface to use when attempting
to view Network Scanners in a customer environment.

1. Ensure you are logged in to the SMC via Chrome as the admin user with the password of C1sco12345.

2. Click Dashboards, then Visibility Assessment.

3. You should see a summary line across the top of the Dashboard. Click the # Internal Network Scanners. (Our image
below shows 26)

4. We are presented with a multi-page report of systems performing scanning activity within the network.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 179 of 257
Cisco dCloud

5. Select an IP from the document and click the associated View button off to the right.

6. You are shown a popup report related to the scanning activity performed by this host.

7. Review the data then close the Details page by clicking the X in the upper right corner.

8. We have decided to classify this host as a Network Scanner. Click on the IP Address of the Host you are reviewing.

9. You are now on the Host Report page for this IP Address. If desired, review the information here, then click Classify in
the Host Summary section.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 180 of 257
Cisco dCloud

10. When the Host Group Selector opens, type network scanner in the search field then press enter.

11. Click on the Network Scanners Host Group, then Click Apply at the bottom.

© 2022 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information. Page 181 of 257
Cisco dCloud

12. You should see a success message.

13. You could now return to Dashboards > Visibility Assessment if needed and repeat the process as necessary. Do NOT
perform any additional Network Scanner classification at this time.

NOTE: In this lab we randomly picked an IP address to classify as a network scanner. In a customer environment, you
would want to look at the list of hosts that are being identified as network scanners and then verify with your customer
which IP addresses were authorized hosts and then only classify those as network scanners. Do not simply classify every
host identified as a network scanner by adding it to the network scanners host group.

Identify Additional Server Types – Web Servers

You can also identify systems that seem to be acting as various servers on the network from within the web interface. Let’s run
through a simple search procedure to illustrate this process for another service type: Web Services (HTTP).

1. Ensure you are logged in to the Manager Web Client via Chrome as the admin user with the password of C1sco12345.

2. From the Web Interface, select Analyze, then Flow Search.

3. Set Search Type to Top Hosts.

4. Set Time Range to Last 8 Hours.

5. Click the Subject Hosts Groups Select button.

6. Include: Select Inside Hosts

7. Exclude: Select Web Servers

a. Hint: Click Exclude at the top of the tree, then click your selection.

b. Click Apply

8. Your Subject section should look as follows:

9. Select Connection > Direction Inbound

10. Click the Connection > Applications Select button

11. Select HTTP and HTTP (unclassified)

12. Click Apply

13. Click the Peer Host Groups Select button

a. Include: Inside Hosts

b. Exclude: Nothing Selected for exclusion

14. Click Apply

15. Final Filter should look like this. Click Search in the upper-right corner.

16. After processing (it can take a few seconds for results to display) the report should appear similar to the following (It could
vary based on the time of day).

17. To provide the customer the list of matching webservers, you can choose to Export the data by clicking Export, then
selecting Visible Columns in the top-right of the table.

18. The resulting CSV file is downloaded and available in the bottom left corner of the browser window (or your downloads
folder).

19. You have now identified systems servicing HTTP connections within the customer network. You will not classify these
hosts at this time. Remember, if you would like to classify the hosts here in the web interface, you would go to Configure >
Host Group Management. You can continue to move forward with the next exercise.

NOTE: Due to built-in role policies in the product, IP addresses that are a member of the Network Scanners group will not
have Concern Index Points attributed to them for scanning behavior.

NOTE: Classifying certain types of hosts (Network Scanners, Mail Servers, File Servers, Backup Servers, etc.) using the
default host groups in SNA will help in reducing alarms. A benefit achieved from classifying other functional server roles is that
you or the customer will be to identify unauthorized activity on the customer network and report on the traffic generated by
those hosts.

For example; if all authorized NTP servers are defined in the NTP servers host group then one can run a document in SNA
looking for NTP traffic not utilizing the NTP Servers host group. This can identify both hosts that shouldn’t be running that type
of service as a server as well as misconfigured clients that should be utilizing a different NTP server. This can help
standardize configuration, potentially reduce WAN bandwidth, and identify hosts that may have incorrect time clocks due to
pointing at the wrong time source. NTP is only an example. This same methodology could be used for any service or
application where the customer decides to implement a standard configuration and deviation from that configuration is
considered non-optimal.

Scenario Summary
In this scenario, you have used SNA to identify gaps in the customer IP dataset previously provided. Different types of functional
hosts were identified based on the network traffic they were generating and/or terminating. Classifying the customer environment
into Host Groups will be a critically important process you must complete during every SNA deployment.

Scenario 12. Classification of Undefined Applications and Services

SNA uses Services (layer 4) & Applications (layer 7) to classify different types of network traffic. There are many default Services &
Applications that come in the product but SNA will not have a Service/Application defined for all network traffic on the customer
network. SNA is still able to process the traffic and report on it, but it will be much more meaningful and helpful to the customer to
have as small amount of Undefined traffic as possible. You will now review the amount of Undefined traffic in the customer
environment and create any applicable Services and Applications. You will review how to classify applications and how to classify
services.

Classify Undefined Application

1. Ensure you are logged into the Manger web interface.

2. From within the Manager Web Interface, select Analyze, then Flow Search from the navigation bar.

3. Enter the following Search Criteria:

a. Search Type: Top Ports

b. Search Name: Last 24hr Undefined TCP and UDP Ports

c. Time Range: Last 24 Hours

d. Subject Host Group: Select Include Inside Hosts

e. Peer Host Groups: Select Include Inside Hosts

f. Connection Applications: Select both Undefined TCP and Undefined UDP

g. Connection Direction: Total

h. Advanced Options: Order By = Bytes

4. Click Search.

5. With 24 hours of lab data to process, this can take several minutes to complete. Please be patient. The system is now
building a report related to all undefined TCP and UDP ports in the last 24 hours, then sorting this document by the port
with the most bytes down to the least bytes.

a. You can monitor the reports progress from this original page, or via Job Management.

6. When the document returns, you will see in the results that TCP port 22609 appears to be a large percentage of the
unclassified traffic. You will now attempt to gather additional context to help identify the network traffic so it can be
properly classified.

7. Click on the number of Flows associated with this first entry (the number in the Flows column is a link).

8. You will now add a column to this display so we can see the orientation of the connection (Client/Server). Click Manage
Columns.

9. Select Subject from the top menu of the pop-up window, then select the Subject Orientation column.

10. Also add the column for Peer > Peer Orientation.

11. Click Set.

12. The document applies the change, and you will notice host 10.201.1.51 is acting as a server for 22609/TCP with a
client/peer of 10.201.3.20 (you may need to scroll right to see some columns).

a. After providing your customer with the information regarding the hosts involved in the network traffic they were
able to determine that this is from their IP video surveillance system. You will now appropriately classify both the
server and the network traffic.

NOTE: In a customer environment, you would normally focus on classifying the ports that generate the most traffic or generate
the most flows. If there are types of traffic that are immediately recognizable due to your specific knowledge of the customer
environment or industry knowledge, then you may be able to go ahead and create the service or application definition for the
traffic with little to no verification. Otherwise it will require institutional knowledge from the customer to assist with determining
what specific undefined network traffic is.

You can assist the customer with providing additional documents such as Top Hosts or Top Conversations to show the
machines that are generating the type of traffic in question. This additional context can be very beneficial to the customer to
make a determination of what the traffic is. For example, they may have no idea what a specific port number is but upon
seeing that all the hosts involved in the network traffic are backup servers then they will be able to determine the traffic is
generated by the enterprise backup application and then you can classify it accordingly.

13. Click on the 10.201.1.51 IP Address in the document. This takes you to the Host Report for this IP Address. (Your results
may differ from what is represented below)

a. Scroll up and down this screen to notice the wealth of data provided about the host in question.

14. Click Classify.

15. The Host Group Selector opens. You will see that the host is already classified as a system in Atlanta. We need to create
a new Host Group for Camera Servers, but we cannot do that from here. Click Cancel in the Classify Hosts editor.

16. To create a new Host Group, we need to select Configure > Host Group Management.

17. Using the Filter by Host Group Name field, enter servers, and then press Enter.

18. Once the list is filtered, click the Action icon associated with Servers, and then click Add Host Group.

19. In the New Host Group window that appears, enter the following values to configure the new host group for Camera
Servers, and then click Save to proceed:

a. Host Group Name: Camera Servers

b. IP Address and Ranges: 10.201.1.51

c. Click Save

NOTE: Now that the camera server is classified in a host group you will be able to restrict the Application classification just to traffic
targeted at that host group. As an added benefit, when this host appears in SNA documents its host group membership will display
that it is a camera server to give additional context to the customer as well as allowing them to run reports against the host group.
You will now create the Application for the security camera traffic.

20. Click the Configure > Applications menu item.

21. Click Add Custom Application.

22. Use the following values to configure the Security Camera Video application:

a. Name: Security Camera Video

b. Description: Streaming security camera video feeds

c. Port/Protocol: 22609/TCP

d. Change the Server field to Host Group and click the Select button. The Host Group Selector window now
appears. Navigate the Enterprise Tree to find the Camera Servers host group you recently created (Inside Hosts
>By Function > Servers > Camera Servers) and select the Camera Servers host group. Click the Apply button
once the selection has been made.

23. Click Add to Rules.

24. Your application rule entry is added to the App Rules list. Click Save.

25. Click Apply to apply your changes.

26. You have successfully identified unknown traffic by port, created definitions for previously unclassified network traffic,
created a Host Group, and assigned a known host to this group by IP Address. Proceed to the next step in the lab.

NOTE: Only new flows targeted at the Camera Servers host group using TCP/22609 will be classified as the Security Camera
Video application. Previous flow records will not be recategorized with the new application definition – only flows from this point

onward.

Classify Undefined Service

Services are an OSI layer 4 method of classifying network traffic in SNA. It is a best practice to classify services as well as
applications. You will now go through the service classification process for the network traffic you identified in the previous step.

1. Ensure you are logged into the Manager web UI as the admin user.

2. Click the Configure menu and select Services.

3. Click Add New.

4. Use the following values to configure the Security Camera Video service:

a. Name: Security Camera Video

b. Port/Protocol: 22609/TCP

5. Click Save.

OPTIONAL - Classify Additional Server Types

This section is not required to be completed by the student, If desired, for more practice only, possibly even later today or
tomorrow, use the previously defined steps to identify hosts functioning as a server for a particular type of network traffic, use SNA
to identify the following types of servers and add appropriate hosts to an existing Host Group or, if necessary, create a new Host
Group. Assume the top 2-3 hosts in the resulting reports that are acting as a server are legitimate for the customer environment
and should be classified. Once you have classified the server types below you may proceed to the next step in the lab. While it is
not required to completely configure the 5 Host Group assignments listed here, it would be ideal to attempt as many as you feel
necessary to become familiar with the process.

Using the previous methodologies, identify hosts acting as a server for the following server types, and create/define any necessary
Host Groups:

• MS SQL Server (TCP port 1433, UDP port 1434)

• Oracle SQL Server (TCP port 1521)

• FTP (TCP port 21)

• Remote Desktop (TCP port 3389)

• DHCP (UDP port 67)

OPTIONAL - Classify Additional Services & Applications

This section is not required to be completed by the student, If desired, for more practice only, possibly even later today or
tomorrow, use the previously defined steps to create definitions for Applications, create entries in the Manager for the following
types of common network traffic that may not already have an entry, or even all the ports defined on your Manager. Create both a
Service definition and an Application definition for each entry. Once you have completed the creation of the service and application
for the below network ports you may proceed to the next section of the lab. While it is not required to completely configure the 3
Application/Service assignments listed here, it would be ideal to attempt as many as you feel necessary to become familiar with the
process.

Using the previous methodologies, identify Network traffic that should be defined as both a new Service and Application, and
complete the necessary configuration:

• SIP (UDP ports 5060-5061)

• Symantec Endpoint Protection (TCP port 8014)

• Commvault (TCP ports 8400-8402)

Scenario Summary
In this scenario, you have used SNA to identify gaps in the customer Application and Services dataset. Network traffic that didn’t
have a service or application definition was classified/created as necessary. Classifying the customer environment is a critically
important process you must complete during every deployment.

Scenario 13. Cisco ISE Integration (Identity Services Engine)

Cisco ISE can be integrated with SNA to take in user identity data and even to leverage pxGrid in order to quarantine users.
Identity data is used to correlate network traffic with user identity as well as show detailed endpoint device data. The integration
process involves the following aspects:

• Ensuring the SMC trusts the root CA that signs certificates in use by the ISE nodes (and the nodes themselves)

• Configure ISE to communicate with the SMC via pxGrid

• Authenticate from the SMC to ISE with a trusted certificate issued by the ISE CA

• Add entries for all ISE Management and Policy nodes in the SMC console

The ISE administrator has already configured the ISE appliance as required for PxGrid operation, but we need to ensure the ISE
appliance and the SMC trust each other and verify user identity data is being processed correctly.

1. Open a new tab in Chrome and click the shortcut for ISE.

2. Click the Advanced button then the Proceed link when presented with the certificate warning.

3. Login to the Identity Services Engine (ISE) using:

a. Username: admin

b. Password: Cisco12345

c. Click Login

4. Click Accept and close to dismiss the lab License Warning.

5. Click Administration then click pxGrid Services from the pop-up menu.

6. Click the Certificates menu option which will present the Generate pxGrid Certificates page.

7. Complete the form as follows:

a. Click in the I want to field and select Download Root Certificate Chain

b. Click in the Host Names field and select admin

c. Click in the Certificate Download Format field and select the PEM option

d. Click Create

8. When the Save As page opens, change the File Name to ISE-CA-ROOT-CHAIN then click Save

9. Click the symbol on the right of the ISE-CA-ROOT-CHAIN.zip file at the bottom of Chrome, then click Show in folder.

10. Right-click the ISE-CA-ROOT-CHAIN.zip file and click on Extract All…

11. Click Extract

12. Close both File Browser windows and leave the Chrome web browser open.

13. Access the SNA Manager web interface by selecting the Appliances bookmark folder in Chrome and then selecting the
SMC (Web UI) bookmark

a. If prompted for authentication, use:

i. Username: admin

ii. Password: C1sco12345

14. Click the Gear icon (Global Settings) at the top right side of the Manager page, then click Central Management.

15. On the Central Management page, locate the SMC Manager appliance and click its associated Action Icon, then select
Edit Appliance Configuration.

16. Click General.

17. Scroll down until you see Trust Store and click Add New.

18. Type ISE-CA-ROOT-CHAIN in the Friendly Name field, then click Choose File.

19. Navigate to WKST1 > Downloads and double-click the ISE-CA-ROOT-CHAIN folder

20. Click on the CertificateServicesRootCA-admin_ file and then click Open

21. Click Add Certificate

22. You should now see the newly added certificate in the SMC Trust Store (you may need to scroll down in the Trust Store).
The SMC will now trust certificates issued by the ISE CA.

23. Click the Appliance tab

24. Scroll down until you see the Additional SSL/TLS Client Identities section and click Add New

25. It will ask if you need to generate a CSR, leave Yes selected and click Next.

26. Fill out the CSR as follows:

a. RSA Key Length: 4096 bits

b. Organization: Customer ORG

c. Organizational Unit: Customer OU

d. Locality or City: San Jose

e. State or Province: California

f. Country Code: US

g. Email Address: [email protected]

27. Click Generate CSR

28. Click Download CSR

29. Click Save on the Save As pop-up

30. Right-click the SMC-clientidentity.csr file at the bottom of Chrome and click on the Show in folder option.

31. Right-click the SMC-clientidentity.csr file and select Edit with Notepad++

32. Click Edit then click Select All in Notepad++

33. Right-click on the highlighted text and select Copy

34. Return to the Identity Services Engine Chrome browser tab

35. Click Reset to clear the form

36. Fill out the Generate pxGrid Certificates form as follows:

a. In the I want to field, select Generate a single certificate (with certificate signing request)

b. Right-click in the Certificate Signing Request Details field and click Paste. This should paste the certificate info
obtained from Notepad++ earlier.

c. Type SMC in the Description field

d. Select IP Address in the SAN field and enter 198.19.20.136 as the associated IP Address

e. Select PKCS12 format as the Certificate Download Format option.

f. Enter C1sco12345 in both password fields

37. Click Create

38. Set the File name to SMC-PXGRID then click Save

39. Right-click the SMC-PXGRID.zip file at the bottom of Chrome and click on Show in folder

40. Right-click the SMC-PXGRID.zip file and select Extract All…

41. Click Extract

42. Close all open file browser windows but leave Chrome open.

43. Return to the SMC Appliance Configuration tab in Chrome and enter a Friendly Name of SMC-PXGRID in the Add
SSL/TLS Client Identity form, then click Choose File

44. Click Downloads on the left side of the Open page that appears.

45. Double-click the SMC-PXGRID folder

46. Click the SMC.dcloud.cisco.com… file and click Open.

47. Enter C1sco12345 in both the Bundle Password and Confirm Password fields.

48. Click Add Client Identity

49. You should now see the SMC-PXGRID client certificate

50. Click the Network Services tab.

51. Scroll down to the Local Resolution section. You will now add in a local DNS host name resolution entry for the SMC to
talk to the ISE node. (This is only required due to the lab environment. In a production customer environment that has fully
functional DNS and the Manager appliance can resolve the name of the ISE nodes, this is not required. Please continue
to perform the steps below in the lab.)

52. Click Add New.

53. Enter the following values:

a. Host Name: admin.dcoud.cisco.com

b. Host IP Address: 198.19.20.141

54. Click Add.

55. The local host name record for ISE is displayed.

56. Click Apply Settings

57. Click Apply Changes

58. Wait at the Inventory page until the SMC Appliance Status transitions from Config Changes Pending to Up. Refresh the
page as needed to check the status.

59. Return to the SMC Web UI within your Chrome browser (Open a new tab if needed and click the SMC bookmark).

60. Click Deploy, then select Cisco ISE Configuration.

61. Click Add new configuration on the Cisco ISE Configuration page.

62. Configure the ISE Configuration form as follows:

a. Cluster Name: ISE-CLUSTER

b. Certificate: SMC-PXGRID

c. Primary PxGrid Node: 198.19.20.141

d. Client Name: SMC-PXGRID

e. Uncheck Enable strict ISE Server Identity Verification (this is for the lab environment only, in a customer
environment the certificate should be validated correctly with this option)

f. Check all the boxes for all integration options.

63. Click Save

64. You should see a success message. Click OK.

65. Click the ISE-CLUSTER Status Circle Icon to validate the connection. You may see that it is not yet connected or even
partially connected. Click the refresh icon near the status circle to refresh the status.

66. Continue to check on the status until it shows Connected. Click the refresh icon near the status circle to refresh the
status.

NOTE: Within our dCloud lab environment, we both simulate ISE activity and run a live single ISE node. The simulated system will
push user information (login/logout events) at specific points throughout the day.

67. Close the Downloaded files bar at the bottom of Chrome by clicking the X all the way to the right.

68. Return to the SMC Web UI in Chrome.

69. Click Monitor > Users.

70. Notice that we can see User data within the interface. Note the user count in the upper left-hand corner. Also, notice the
table that displays the users along with associated category index information. If you do not yet see User data, it may be

that the required connections have not yet occurred. Be patient or check back later if you prefer to proceed with the
remaining labs right away.

71. You have successfully configured Cisco ISE integration via pxGrid and verified identity data is coming in correctly from
ISE to the SMC.

Scenario Summary
In this scenario, you have configured Cisco ISE Integration with SNA and validated its functionality.

Scenario 14. Configure the AD LDAP Lookup Feature

You have already integrated your customer’s Cisco ISE deployment into SNA to obtain user identity data and associate it with flow
data. Your customer utilizes Active Directory and would like to be able to query the directory for additional user information when
accessing identity data in SNA. You will now perform the configuration for the AD Lookup feature.

NOTE: Cisco ISE is one method of obtaining user identity data. Depending on customer configuration the Cisco ASA/FTD firewall
(and certain other vendor firewalls) can supply user identity data to SNA independently of Cisco ISE. Some customers may not
have ISE but do have user identity data through another source and could benefit from the AD lookup feature. It is important to
note that the AD Lookup feature only retrieves user details for user identity data already in SNA from some other source such as
Cisco ISE or the ASA. The AD Lookup feature by itself will not provide any data or benefit without user identity data already in
SNA.

1. Return to the SMC Web UI in your Chrome browser, or by selecting the SMC bookmark from the Chrome web browser
window. Ensure you are logged in as the admin user with a password of C1sco12345.

2. Click the Deploy menu, and then select the Active Directory menu item.

3. Click Add new configuration.

4. Complete the configuration using the values supplied below and click the Save button.

a. Name: Customer AD Environment

i. The defined name of the AD instance you are connecting to. This is not related to the actual AD DNS or
NT domain name.

b. Description: Customer AD Instance 01

i. Optional description of the environment. The customer may have multiple AD environments. This would
be a place to differentiate them.

c. Host: 198.19.20.10

i. The FQDN or IP address of the AD server to connect to

d. Port: 389

i. The port number to connect over. For unsecure LDAP use port 389. This will send the username and
password used to pull back the data over the network insecurely. If the customer does not have a
certificate installed on their AD server then unsecured LDAP on port 389 is the only option. However, if
the AD server supports secure LDAP (LDAPS) then use port number 636 as a best practice.

e. SSL: Unchecked

i. If port 389 is being used for unsecured LDAP, then leave this unchecked. If port 636 is being used to
connect to a domain controller with a certificate installed, then place a checkmark in the box.

f. Base DN: OU=Sandbox,DC=dcloud,DC=local

i. The LDAP path for the DN (Distinguished Name) of the level in the customer’s directory that the search
for user data should begin at. Whatever value is specified for this setting, only user data that exists at
this DN or lower will be retrieved.

ii. Example: If a user account’s DN was “CN=BobRoss,OU=CorpLearning,DC=dcloud,DC=local” and the

value of the Base DN setting was “OU=Sales,DC=dcloud,DC=local” the BobRoss user would not be in
the path to be queried and would never return a result.

iii. However, if the Base DN value was “DC=dcloud,DC=local” then the BobRoss user would be returned
as its path is a child object of the Base DN path.

iv. Capitalization does matter on LDAP paths. Be sure to obtain valid settings from your customer prior to
implementing the feature in production.

v. Bind DN: CN=Moe,OU=Sandbox,DC=dcloud,DC=local The Bind DN value is the DN of the user

account that SNA will use to authenticate to the customer AD instance and retrieve user data. This does
NOT have to be a user with administrative access. Normal “Domain User” group permissions are
acceptable for AD structures with default permissions. If the customer has customized their OU
structure permissions the user account simply needs the permissions to read user attributes.

g. Password: C1sco12345

i. Password for the user account specified in the Bind DN setting

5. Click Save.

6. You will receive a confirmation if the connection could be established. Click OK.

7. The saved AD Lookup Configuration instance will be shown on the screen.

NOTE: It is possible to have multiple configuration entries. This may be necessary if the customer has multiple LDAP directories,
multiple AD domains, or must specify multiple Base DN paths in the same directory.

8. You will now verify that SNA is pulling data correctly from the customer AD environment. In the SNA web interface, click
the Monitor menu, and then select the Users menu item.

9. Sort the Users page by the User Name column by clicking the up/down triangles in the User Name column header.

10. Scroll down the Users page, look for the entry for the user ken, and then click the link for the ken user. You can
alternatively enter in the URL https://198.19.20.136/lc-landing-page/smc.html#/userentity/ethel

11. The User Info page now displays, showing details from Active Directory for Ethel, alarm data for the user from SNA, and
a list of devices the user has authenticated from. The fields shown are the values retrieved from the customer’s directory
such as the email address and phone number.

12. You have successfully configured the AD lookup feature and your customer is able to query their directory for user data
that appears in SNA.

Scenario Summary
In this scenario, you have configured the AD lookup feature to allow the customer to gather further details about the user accounts
that appear in the identity data imported through Cisco ISE or other integrations that provide username information to SNA.

Scenario 15. Creating a Report

Once flow data is being properly classified within the customer environment, you can utilize SNA for more in depth reporting. There
are several report types built-in to the web UI that you can use to accomplish your customer’s goals. In this scenario, your
customer has requested that you build a report in SNA that shows HTTP/S traffic utilization and another that shows alarms being
generated in the environment. You will now use the Report Builder to accomplish that.

Using Report Builder

1. Ensure you are logged into the Manager web UI on the SMC appliance.

2. Click Dashboards and select Report Builder.

3. Click Create New Report

4. There are several different report templates to choose from. Select the Host Group Application Traffic template and
then scroll down the page to see the template configuration parameters.

5. Use the following values to configure the parameters for the report:

a. Time Range: Last 12 Hours

b. Host Group: Inside Hosts

c. Applications (Include): HTTP, HTTP (unclassified), HTTPS, HTTPS (unclassified)

6. Click Run.

7. The report generates a traffic graph displaying the amount of network traffic utilized by the HTTP applications you
selected. Scroll down and you can view specific time data points for the graph shown in table view.

8. Click +Add Chart.

9. Select Pie Chart and click Select.

10. The additional charts are added to the report showcasing the percentage of traffic generated by each application.

11. Scroll up to the top of the page and click Save.

12. When prompted for the Report Name, enter HTTP Traffic Usage and click Save.

13. Click the All Reports tab. Notice that the saved HTTP Traffic Usage report is shown as an option to open at the bottom.

14. Click Create New Report.

15. Select the Alarms report template and scroll to the bottom of the page.

16. Configure the following parameters:

a. Time Range: First Start Active and/or Last Active Time

b. Start Active Range: Last 24 Hours

c. End Active Range: Last 24 Hours

d. Flow Collector: fcnf

17. Click Run.

18. A graph over time showing all Host Alarms is displayed.

19. Scroll down the page to see the table data for alarm details.

20. Click +Add Chart.

21. Select Pie Chart and click Select.

22. It is easy to see which alarms are generating the most based on the pie chart data.

23. Scroll up to the top of the page and click Save.

24. When prompted for the Report Name, enter Alarms Last 24 Hours and click Save.

25. Click the All Reports tab. Notice that the saved report is shown as an option to open at the bottom.

Scenario Summary
In this scenario, you created two reports to allow application traffic and alarm data to be viewed more easily. The reports have
many templates and options to customize for your customer. Continue with the labs but plan on spending more time reviewing the
different report options in the web UI at a later time to become more familiar with the feature.

Scenario 16. Response Management

The Manager can send various types of notifications when an alarm in the product triggers. You will now configure SNA to notify
the customer’s SIEM and SNA admins when important alarms trigger. This will involve configuring syslog communication and
defining the rules that control when a notification is sent.

NOTE: Every deployment of SNA should be configured to notify the customer of System alarms concerning the health of the SNA
appliances. Early in the deployment it may not be warranted to enable “Host” alarms dealing with the behavior of hosts on the
network until the product has undergone more tuning. However, System alarms should always be enabled and configured so that
the customer receives a notification that an issue has occurred. Responding to System alarms can help prevent larger issues from
occurring with the product.

As an example, a RAID drive failure message that is ignored for weeks or months or that was never sent due to System alarms
never being enabled can require an appliance RMA and loss of service for an extended period of time. If the alarm was noticed in
a timely manner, then corrective action can be taken to prevent loss of service. SNA can monitor certain aspects of its own health
and it is important for these alarms to be monitored.

Create SNA System Alarms

1. Ensure you are using the SNA Web Client. If needed, login as admin with a password as C1sco12345

2. Click the Configure menu and select Response Management.

3. There are several default Response Management rules created in the console as examples. You will create new
Response Management rules for this environment without using the existing rules.

4. Click the toggle switch in the Enabled column of each rule that is enabled to disable it. All rules should be to the left toggle
switch position and the color should be grey.

5. Before you create Rules, you must create the Actions that the rule criteria will trigger. Select the Actions tab.

6. Click Add New Action and select Email.

7. Use the following values to configure the action parameters:

a. Name: Email to SOC

b. Description: Email for the security operations center.

c. To: [email protected]

8. SNA will automatically fill in the Subject and Body fields when it generates the alarm. You do not need to specify a value
unless specific text is required from the customer. Click Save.

NOTE: You can either select existing users of SNA that have email addresses defined in their Manager account or type in a new
email address manually.

9. You will now add a Syslog Format so that syslog messages can be sent with a Response Management rule when alarms
trigger. Click the Syslog Formats tab and select Add New.

10. Configure the Name field to be Customer SIEM Instance 01

NOTE: Different SIEM or Syslog server solutions will have different methods of parsing data. SNA can be configured to support
whatever format is preferred by the customer. The MSG Part’s allow for variables to be inserted in the message to reference data
in alarms that are generated by SNA. Review with the customer which MSG parts you feel would be helpful and ensure that the

syslog destination can parse the message correctly. Below is a sample syslog format. Multiple syslog formats can be created. It
may be helpful to have different fields for different types of alarms.

Cisco SNA Notification:{alarm_type_id},{alarm_type_name},{alarm_severity_id}, msg={alarm_type_description}:{details}

dst={target_ip} src={source_ip} start={start_active_time} end={end_active_time} cat={alarm_category_name}
externalId={alarm_id} cs3={source_host_group_names} cs3Label=SourceHostGroups cs4={target_host_group_names}
cs4Label=TargetHostGroups cs5={source_url} cs5Label=Source_URL cs6={target_url} cs6Label=Target_URL dpt={port}
proto={protocol} dvchost={device_name} dvc={device_ip} dvcpid={domain_id} deviceExternalId={device_name}

11. Copy and paste the syslog format text below into the message field:

Cisco SNA Notification:{alarm_type_id},{alarm_type_name},{alarm_severity_id}, msg={alarm_type_description}:{details}

dst={target_ip} src={source_ip} start={start_active_time} end={end_active_time} cat={alarm_category_name}
externalId={alarm_id} cs3={source_host_group_names} cs3Label=SourceHostGroups cs4={target_host_group_names}
cs4Label=TargetHostGroups cs5={source_url} cs5Label=Source_URL cs6={target_url} cs6Label=Target_URL
dpt={port} proto={protocol} dvchost={device_name} dvc={device_ip} dvcpid={domain_id} deviceExternalId={device_name}

a. Alternate Option: Instead of copying and pasting, you may choose to manually add the alarm variables to the
message. Choose the following alarm variables from the right selection window and add them to the Message
configuration by clicking Alarm Variables. Place a comma (or some other character as a delimiter) between
each variable to separate the variables from one another.

i. Alarm_id

ii. Alarm_severity_name

iii. Alarm_status

iv. Alarm_type_name

v. Details

vi. Time

12. Click Preview to view a sample output of your syslog format.

13. You may make any changes you wish to the syslog format by adding or removing MSG Parts.

14. Click Save when finished to save the syslog format. You have created the syslog format but have not yet created the
Action that will se the syslog format.

15. Click the Actions tab and select Add New Action.

16. Select Syslog Message.

17. Configure the following parameters in the Syslog Message Action window pane

a. Name: Syslog to SIEM

b. Syslog Server Address: 198.19.20.134

c. UDP Port: 514

d. Message Format: Custom

e. Syslog Format: Customer SIEM Instance 01

18. Click Save.

NOTE: You can have multiple instances of the same action type. For instance; you may need to have multiple syslog
formats or there may be multiple syslog servers or SIEM’s that that need the data. Multiple email actions can be defined
as well all with different options.

19. You have created the actions needed for the Response Management rules to send an email and send a syslog message.
You will now create the rules that reference the actions.

20. Click the Rules tab, click Add New Rule, and select FlowCollector System Alarm.

21. On the new system alarm, configure the following values:

a. Name: SOC - FC System Alarms

b. Description: Send FC system alarms to the SOC via syslog and email

22. You will now add conditions to the rule that cause it to trigger. Click the + (plus symbol) in the “Rule is triggered if” section.

23. Change the condition from Severity to Type and click the drop down menu to view the different types of FC system
alarms. You can choose to specifically send notifications on certain types of alarms rather than all FC alarms.

24. After reviewing the available system alarms, change the Type value to Severity and verify that Informational is selected.
This configuration will trigger on any FC System alarm without having to manually specify all alarm types.

25. In the Associated Actions section enable the two actions below by toggling the Assigned switch to the right so it is
colored blue.

a. Email to SOC

b. Syslog to SIEM

NOTE: It is possible to have an action trigger when the alarm becomes active and when the alarm becomes inactive. There are
use cases for having an action trigger on both but many customers will simply use just a single action when an alarm becomes
active.

26. Click the Save button.

27. Your newly created rule is shown in the rule list.

NOTE: System alarms deal with issues pertaining to the SNA appliances or health of the product. Exporter or Interface alarms deal
with bandwidth utilization for exporters as well as several Flow Sensor system alarms. Host Alarms deal with security related items
for the hosts being monitored with SNA. Host Group Relationship Alarms deal with cumulative traffic between host groups.

28. Click Add New Rule and select Manager System Alarm.

29. On the new system alarm, configure the following values:

a. Name: SOC - FC System Alarms

b. Description: Send FC system alarms to the SOC via syslog and email

30. You will now add conditions to the rule that cause it to trigger. Click the + (plus symbol) in the “Rule is triggered if” section.

31. Change the condition from Severity to Type and click the drop down menu to view the different types of Manager system
alarms. You can choose to specifically send notifications on certain types of alarms rather than all alarms.

32. After reviewing the available system alarms, change the Type value to Severity and verify that Informational is selected.
This configuration will trigger on any Manager system alarm without having to manually specify all alarm types.

33. In the Associated Actions section enable the two actions below by toggling the Assigned switch to the right so it is
colored blue.

a. Email to SOC

b. Syslog to SIEM

34. Click the Save button.

35. Your newly created rule is shown in the rule list.

36. You will now add in an Exporter or Interface Alarm rule. Click Add New Rule and select Exporter or Interface Alarm.

37. On the new system alarm, configure the following values:

a. Name: SOC - Exporter System Alarms

b. Description: Send Exporter system alarms to the SOC via syslog and email

38. You will now add conditions to the rule that cause it to trigger. Click the + (plus symbol) in the “Rule is triggered if” section.

39. Change the condition from Severity to Type and click the drop down menu to view the different types of Exporter system
alarms. You can choose to specifically send notifications on certain types of alarms rather than all alarms.

40. Add in the following criteria to the rule:

a. Type is FlowCollector Flow Data Lost

b. Type is FlowCollector Longest Duration Export Exceeded

c. Type is FlowSensor Management Channel Down

d. Type is FlowSensor RAID Failure

e. Type is FlowSensor RAID Rebuilding

f. Type is FlowSensor Time Mismatch

g. Type is FlowSensor Traffic Lost

41. Ensure that the setting at the top of the pane is set to “ANY of the following is true.” If it is set to ALL then al conditions
must match before the rule triggers. There would never be an instance where all the conditions were active in this case so
the rule would never trigger.

42. In the Associated Actions section enable the two actions below by toggling the Assigned switch to the right so it is
colored blue.

a. Email to SOC

b. Syslog to SIEM

43. Click the Save button.

44. Your newly created rule is shown in the rule list.

45. You can find out more information about the specific types of system alarms by utilizing the SNA online help. Click the
user outline icon in the top right of the Manager web UI and select Help.

46. Type Alarm List in the search field and click the search icon (magnifying glass).

47. In the results you will see entries for the different system alarms in SNA. Click the link for Alarm List: Exporter/Interface
Alarms.

48. Detailed information about what each alarm type means is displayed. Review and then close the browser tab containing
the online help article.

NOTE: In production, you should follow-up with the customer and verify there is a workflow in place to respond to the alarms being
generated by the Manager. If the Manager sends out the notifications but the customer doesn’t investigate the issue, then nothing
was achieved by the notification.

Scenario Summary
In this scenario, you have created System Alarms to help monitor the health of SNA itself. You have configured the syslog
message format to send to the customer SIEM, created actions to send syslog and email notifications, and created system alarms
for SNAas well as reviewing help article information on the types of system alarms available and what they mean.

Scenario 17. Configure Appliance SNMP Agent

The customer wishes to monitor the SNA appliances via their network operations performance monitoring system and the SNMP
protocol. They have asked you to configure the appliances, so the monitoring system can access them via SNMP.

NOTE: It is a best practice to always have the customer monitor the appliances via an external mechanism such as SNMP & ICMP
polling and verifying that TCP/443 is open on the appliances. There are many ways to remotely monitor the appliances and the
critical processes. The important point is to request that the customer coordinates with the monitoring team to actually perform the
monitoring. The appliances may experience an issue so critical that the System Alarms you have configured will not trigger. The
manager appliance may potentially be down and not able to trigger any system alarms at all. External monitoring is valuable and
can alert the customer to issues early on.

1. Return to the Manager Web Interface, click the Gear icon, and then select Central Management.

2. On the Central Management page, locate the SMC Manager appliance and click its associated Action Icon, then select
Edit Appliance Configuration.

3. Click the Network Services tab.

4. In the SNMP Agent section, enter the following values to configure the SNMP agent settings:

a. Enable: Checked

b. Read Only Community: CustomerROv2String

c. SNMP Port: 161

i. If the customer requires that SNMP be run on a non-standard port you can change the port number via
this setting. Leave the value at 161 unless specified by the customer.

d. sysLocation: Customer Datacenter02

i. When the appliance is queried by the remote monitoring system via SNMP, this value will show in the
Location field for the appliance. Obtain this value from the customer – however they wish the
appliance’s location to appear in their monitoring system is how this should be entered.

e. sysContact: Owner Name

i. When the appliance is queried by the remote monitoring system via SNMP, this value will show in the
Contact field for the appliance. Obtain this value from the customer – however they wish the appliance’s
Contact to appear in their monitoring system is how this should be entered.

f. sysName: SMC

i. This value is usually the host name assigned by the customer. This will be the name value that appears
in the remote monitoring system. If the customer has several SNA appliances and you use the default
values, all the appliances will appear to have the same name. Use the host names assigned by the
customer for this purpose.

g. sysServices: (leave default value)

h. sysDescription: SNA Manager

i. A free text value to describe the purpose of the appliance. If the customer has a standard value here
utilize their naming convention. Otherwise describe the appliance type and model number.

i. sysObjectID: (leave default value)

j. SNMP Version: V2

5. Click Apply Settings and then Apply Changes once you have configured the SNMP values.

6. Notice that your appliance Status has changed while the settings are applied to that appliance.

NOTE: The SNMP agent settings on the appliance configure the ability of an external system to poll the appliance via SNMP.
These settings do not in any way have any bearing on the ability of the SNA appliance to perform its primary function. The SNMP
agent settings do not interact with the SMC polling exporters via SNMP and do not have any relation to the ability of the SMC to
send SNMP traps via Response Management. The only function of the SNMP agent is remote monitoring of the appliances. It is
highly recommended to enable this for that purpose but technically optional. Using SNMPv3 when possible is a security best
practice.

Scenario Summary
In this scenario, you configured the SNMP agent on the Manager to allow it to be monitored via a 3rd party SNMP monitoring
system. In the lab, you will not be required to perform the steps on all the appliances. However, in a customer environment, all
SNA appliances should be monitored by the customer’s systems if available.

Scenario 18. Determine Estimated Datastore Storage Capacity

All data node appliances have a finite amount of storage space available to store flow data. Depending on the appliance models
purchased, the amount of storage assigned to virtual appliances, and the amount of flow data being generated in the customer
environment, a customer could have a year of data accessible or they may barely make it to a full month.

Your customer has asked you how much flow data their system will be able to retain now that their appliances have been installed
and the FC is taking in flow data from all the in-scope exporters. You will utilize the Database Retention feature on the Data Store
page in Central Management to give the customer an estimate of how many days of data they will be able to retain.

1. Open Central Management in the Chrome web browser.

2. Select Data Store

3. Select Database Retention

4. The Database Fullness chart will be shown. Based on the information below we can see that the Database on the
Datastore has 92% free space remaining.

5. Scroll down until the Daily Storage section is displayed.

6. The total capacity of the datastore is shown in Terabytes. In this example the capacity is 0.092 TB.

7. The total amount of storage consumed per day in Gigabytes. In this example the Daily Storage Rate is 0.056 GB.

8. To get an estimate of the total amount of capacity in days you may perform the following calculation

a. (Total Capacity in TB)(1024)=Total Capacity in GB

b. (Total Capacity in GB)/(Daily Storage Rate in GB)=Total Number of Days of Capacity

c. (0.092)(1024)= 94.208, 94.208/0.056= 1,682.28 days of capacity

NOTE: The default value for the appliance is to store up to 7 days of Flow Interface Data. When the hard disk on the datastore
reaches maximum capacity, it begins deleting the oldest data to make room for newer data. However, storing flow interface data
may prevent the datatore from being able to store the actual flow data for longer periods of time. This setting allows you to prioritize
being able to have flow data without the interface data that the flow passed through vs. not having flow data over a certain period
of time.

Setting this value to a certain number of days, such as 7, allows the appliance to store more flow data since the database will not
contain the flow interface data for flows older than 7 days. Depending on the customer environment you may choose to allow the
datastore to run for several weeks or months to determine how much flow and flow interface data can be stored before making the
change to limit flow interface data. This is a tool you can use to assist customers extend their data retention period for flow data if
needed.
Some customer environments that have upgraded previous versions of Stealthwatch to Cisco Secure Network Analytics may have
different values for this setting than a brand new installation of the product and may benefit from changing the value to a smaller
amount of time.

Scenario Summary
In this scenario, you have used the Database Retention page to review storage details about the customer’s datastore and
calculate their storage capacity in days. Additionally, you have reviewed the interface details retention settings and verified that it is
configured to store only 7 days of interface data in order for more flow data to be stored in the datastore database over time.

Scenario 19. Create Configuration Backups

At this point, you have successfully completed the initial deployment and configuration of the customer’s SNA solution. It can be
highly beneficial to perform a configuration backup from each of the appliances to capture a known good state before ending your
engagement with the customer. You will now perform configuration backups on the appliances and save the files to the
administrative workstation the customer has provided you to work on in their environment. They will then copy the files to their file
server for storage.

NOTE: Each appliance automatically saves a copy of its configuration backup on a daily schedule to local disk for 30 days. This
can be helpful if an administrator makes a configuration error such as deleting the host group tree, or some other misconfiguration
occurs. The backups saved on the appliance can be used to return the box to a working configuration if the issue is found within 30
days. However, if the appliance fails or is reset to factory defaults then the locally saved configuration backups will not be available.
Saving a configuration backup to an external machine is critical.

1. Return to the Manager web interface via Chrome and log in to the appliance using the username of admin and the
password of C1sco12345.

2. Return to the Manager Web Interface, click the Gear icon, and then select Central Management.

3. Select the Action icon for the SMC and then select the Support menu option.

4. You will see a list of previously saved backups that exist on the appliance itself from its daily configuration backup.

5. Create a backup on demand by clicking Backup Actions then Create Backup.

6. Once the backup is created, it appears in the list at the top. Click the associated Download button then Save. The
configuration backup will be downloaded by the web browser and saved in the Downloads folder.

a. The backup-appliance file is the configuration of the actual Manager appliance that contains all the appliance
settings that you defined through the AST as well as all product configuration such as Host Groups, Domain
settings, alarm policy configuration, etc.

b. The backup-cm file is the Central Management configuration that stores information about all the appliances
managed by Central Management.

c. You should download both files. Other SNA appliances besides the Manager will only have a single backup
config file type.

7. Click Appliance Manager to return to the Central Management Inventory page.

8. Repeat the steps in this scenario for all remaining SNA appliances to create and download the latest configuration
backups.

a. Flow Collector

b. Flow Sensor

NOTE: Performing configuration backups is also part of the pre-upgrade process for the appliances.

Scenario Summary
In this scenario, you have performed a configuration backup for all the appliances and saved the backup file to your administrative
workstation. This will ensure that if there is an appliance failure or a misconfiguration performed by the customer you will be able to
return the environment to a working configuration without performing the entire installation process over again.

Scenario 20. SNA Patching – Central Management

Cisco has released a patch update for one of the SNA appliances. You will now download and apply this patch to your customer’s
environment through Central Management. Since you have already created and downloaded a recent Configuration Backup, you
are ready to start the update. Always read the release notes and installation instructions for patches and upgrades – they are very
important!

1. You will now apply a Flow Collector patch to the customer Flow Collector appliance.

NOTE: All SNA software is available from software.cisco.com and should be downloaded from there. This patch file has been
downloaded already only for the purposes of the lab.

2. From the Manager Central Management page, click the Update Manager tab.

3. Click Upload to upload the patch to Central Management.

4. Navigate to WKST1 > Documents > Patches, click on patch-fcnf-ROLLUP001-7.4.1-v2-03.swu then click Open

5. The file will upload to the Manager.

6. Only after the Success message appears, click Close.

7. The update will now be transferred from the SMC to the Flow Collector appliance. Wait until the Update Status changes to
Waiting to Install before proceeding.

8. You will now see that the Patch is listed as Waiting to Install for the appliance. If you do not see this, refresh your browser
window.

9. Click the FC Actions icon (three dots) and then select Install Update.

10. Click Yes to confirm the update.

11. The Update Status will eventually change to Installing. (This can take some time, please be patient.)

12. Refresh the Central Management web browser page as needed to update the status of the installation.

13. Notice for the Flow Collector that both Ready to Install and Update Status have cleared out. The installed version now says
patch-fcnf-ROLLUP001-7.4.1-03. Click the Actions icon for the FCNF and then select View Update Log.

14. This log opens in a new Chrome Tab. Note the ROLLUP001 file is mentioned. Scroll to the bottom of the log file and see that
the process completed successfully.

15. You have completed the patch update process for the Flow Collector.

Scenario Summary
In this scenario, you have performed a patching process on the SNA Flow Collector appliance in the customer environment
through the Update Manager component of Central Management. This will help prevent known bugs and issues from negatively
affecting the customer’s experience with the product.

SW Field Engineer Lab Completion

You have now completed all scenarios in the SNA 101 FE Training lab.

Login Form in Access
100% (5)
Login Form in Access
6 pages
FedEx Ship Manager Server V 17.0.1 Installation and Configuration Guide
No ratings yet
FedEx Ship Manager Server V 17.0.1 Installation and Configuration Guide
184 pages
Firewall_7.4_Basic_Lab_240709_301_no_CTF_Final
No ratings yet
Firewall_7.4_Basic_Lab_240709_301_no_CTF_Final
101 pages
Cisco SD-WAN (Viptela) Instant Demo v1: About This Demonstration
No ratings yet
Cisco SD-WAN (Viptela) Instant Demo v1: About This Demonstration
20 pages
Cisco Secure SD-WAN Viptela v31 Instant Demo 191004
No ratings yet
Cisco Secure SD-WAN Viptela v31 Instant Demo 191004
33 pages
Ltrsec 1000 LG
No ratings yet
Ltrsec 1000 LG
394 pages
Firepower NGFW Lab Basics - Guide
No ratings yet
Firepower NGFW Lab Basics - Guide
92 pages
Firepower NGFW Lab Features 7.1 - Guide
No ratings yet
Firepower NGFW Lab Features 7.1 - Guide
173 pages
Secure Firewall Lab-Basics 7
No ratings yet
Secure Firewall Lab-Basics 7
88 pages
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
No ratings yet
Cisco Firepower Next-Generation Firewall 6.5 Features Lab v1.0
23 pages
nso_auto_deploy_zero_touch_provisioning_v1
No ratings yet
nso_auto_deploy_zero_touch_provisioning_v1
11 pages
Cisco DevNet Express Cisco DNA Sandbox V3.0a
No ratings yet
Cisco DevNet Express Cisco DNA Sandbox V3.0a
8 pages
Firepower NGFW Lab-Features v1.7
No ratings yet
Firepower NGFW Lab-Features v1.7
173 pages
Nxos Ansible v1 New-3
No ratings yet
Nxos Ansible v1 New-3
22 pages
Cisco UCS Central 1-4 v1 Demo Guide
100% (1)
Cisco UCS Central 1-4 v1 Demo Guide
109 pages
Cisco UCS Director 5-4 VMware v1 Demo Guide
No ratings yet
Cisco UCS Director 5-4 VMware v1 Demo Guide
66 pages
Firepower NGFW Lab-Basics v1.7
No ratings yet
Firepower NGFW Lab-Basics v1.7
78 pages
Ansible For Cisco Nexus Switches v1
No ratings yet
Ansible For Cisco Nexus Switches v1
22 pages
(Certification Guide) Omar Santos, Joseph Muniz, Stefano de Crescenzo - CCNA Cyber Ops SECFND #210-250 Official Cert Guide-Cisco Press (2017)
No ratings yet
(Certification Guide) Omar Santos, Joseph Muniz, Stefano de Crescenzo - CCNA Cyber Ops SECFND #210-250 Official Cert Guide-Cisco Press (2017)
7 pages
Cisco 4D Secure SD WAN Viptela v32 - 101004
No ratings yet
Cisco 4D Secure SD WAN Viptela v32 - 101004
67 pages
Firepower NGFW Lab v2.4 Basic-1
100% (1)
Firepower NGFW Lab v2.4 Basic-1
54 pages
Cisco Firepower 6
No ratings yet
Cisco Firepower 6
39 pages
Cisco 4D SD WAN Secure Viptela v3.3 Single DC - MASTER 12 11 19
No ratings yet
Cisco 4D SD WAN Secure Viptela v3.3 Single DC - MASTER 12 11 19
64 pages
Cisco NGFW Basic Lab v1.5
No ratings yet
Cisco NGFW Basic Lab v1.5
65 pages
AMP Endpoints Basics Lab v1.6-US
No ratings yet
AMP Endpoints Basics Lab v1.6-US
325 pages
Cisco Vxlan Config v1
No ratings yet
Cisco Vxlan Config v1
38 pages
Firewall 7.2 Basic Lab v3.2 220729-Final
No ratings yet
Firewall 7.2 Basic Lab v3.2 220729-Final
118 pages
Firepower Threat Defense 6.1 Basics Lab v1
No ratings yet
Firepower Threat Defense 6.1 Basics Lab v1
402 pages
Cisco Nexus 7000 Introduction To NX-OS Lab Guide
100% (1)
Cisco Nexus 7000 Introduction To NX-OS Lab Guide
38 pages
Ipsec VPN Troubleshooting Lab v11190816-1
No ratings yet
Ipsec VPN Troubleshooting Lab v11190816-1
28 pages
Cisco Virtualized Application Container Services 2-0 v1 Lab Guide
No ratings yet
Cisco Virtualized Application Container Services 2-0 v1 Lab Guide
34 pages
APIC 2-1 WalkMe Demo Guide
No ratings yet
APIC 2-1 WalkMe Demo Guide
7 pages
Ise With Security Incident Event Managements (Siems) For Real and Simulated Clients
No ratings yet
Ise With Security Incident Event Managements (Siems) For Real and Simulated Clients
34 pages
Firepower NGFW Basics Lab v23 PDF
No ratings yet
Firepower NGFW Basics Lab v23 PDF
52 pages
Cisco DNA-C Getting Started Implementation Readiness
No ratings yet
Cisco DNA-C Getting Started Implementation Readiness
50 pages
Cisco Nexus 7000 Introduction To NX-OS 2014-05-20
No ratings yet
Cisco Nexus 7000 Introduction To NX-OS 2014-05-20
39 pages
NFV - Nso - Esc - Virtual - Services - v1 - IMP
No ratings yet
NFV - Nso - Esc - Virtual - Services - v1 - IMP
25 pages
Cisco Firepower Threat Defense 6.4 Proof of Value v1.6: About This Demonstration
No ratings yet
Cisco Firepower Threat Defense 6.4 Proof of Value v1.6: About This Demonstration
34 pages
Secure Firewall Lab-Advanced 7.2-1
No ratings yet
Secure Firewall Lab-Advanced 7.2-1
38 pages
DNA Center 1.2.10 - Automation Lab
No ratings yet
DNA Center 1.2.10 - Automation Lab
86 pages
Cyber Threat Response Lab v31
No ratings yet
Cyber Threat Response Lab v31
180 pages
Virl 1655 Sandbox July v1
No ratings yet
Virl 1655 Sandbox July v1
16 pages
7 5 0 System Configuration Guide DV 1 3
No ratings yet
7 5 0 System Configuration Guide DV 1 3
250 pages
Cisco Dna
No ratings yet
Cisco Dna
266 pages
7 4 1 System Configuration Guide DV 1 7
No ratings yet
7 4 1 System Configuration Guide DV 1 7
177 pages
EC ecCLOUD UserManual
No ratings yet
EC ecCLOUD UserManual
277 pages
Radware DDOS v1
No ratings yet
Radware DDOS v1
22 pages
5.2.2.6 Lab - Configuring SNMP
100% (6)
5.2.2.6 Lab - Configuring SNMP
12 pages
5.2.2.6 Lab - Configuring SNMP
No ratings yet
5.2.2.6 Lab - Configuring SNMP
12 pages
Lab Implement SNMP and Syslog
No ratings yet
Lab Implement SNMP and Syslog
11 pages
Firewall 7.4 Advanced 240919 301 No CTF Final
No ratings yet
Firewall 7.4 Advanced 240919 301 No CTF Final
129 pages
dCloud-Cisco-Radware_SSLi-Outbound
No ratings yet
dCloud-Cisco-Radware_SSLi-Outbound
66 pages
5.2.2.6 Lab - Configuring SNMP
0% (1)
5.2.2.6 Lab - Configuring SNMP
12 pages
Ansible F5 ACI Lab v1-1
No ratings yet
Ansible F5 ACI Lab v1-1
59 pages
Docker, Containers And All The Rest: First Edition, #1
From Everand
Docker, Containers And All The Rest: First Edition, #1
Ami Adi
No ratings yet
Cisco Cyber Vision v1-1
No ratings yet
Cisco Cyber Vision v1-1
48 pages
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
From Everand
Google Cloud Professional Cloud Security Engineer 100+ Practice Exam Questions with Detailed Answers
vivian njoroge
No ratings yet
CISCO Networking Solutions Products Generic
No ratings yet
CISCO Networking Solutions Products Generic
744 pages
Chapter 5 Lab 5-2 - DHCP: Topology
No ratings yet
Chapter 5 Lab 5-2 - DHCP: Topology
7 pages
Cisco Application Policy Infrastructure Controller 1.0 With F5 Integration V1
No ratings yet
Cisco Application Policy Infrastructure Controller 1.0 With F5 Integration V1
55 pages
Implement MP-BGP EVPN VxLAN Control Plane v1 Demo Guide
No ratings yet
Implement MP-BGP EVPN VxLAN Control Plane v1 Demo Guide
24 pages
CompTIA Cloud+ Study Guide: Exam CV0-003
From Everand
CompTIA Cloud+ Study Guide: Exam CV0-003
Ben Piper
No ratings yet
SARA Anyconnect Troubleshooting
No ratings yet
SARA Anyconnect Troubleshooting
14 pages
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
No ratings yet
Fortigate Infrastructure Lab Guide: Do Not Reprint © Fortinet
143 pages
RDD Design Document - Fashionista Group11
No ratings yet
RDD Design Document - Fashionista Group11
14 pages
ExaCC Gen 2 Initial Tasks - 280823-0628-556
No ratings yet
ExaCC Gen 2 Initial Tasks - 280823-0628-556
11 pages
Windows Default Security and Services Configuration
No ratings yet
Windows Default Security and Services Configuration
66 pages
Tattoo DMI Utility Instructions v5
No ratings yet
Tattoo DMI Utility Instructions v5
4 pages
One-XPortal Admin
No ratings yet
One-XPortal Admin
64 pages
1-3-First-Time-Login-Guide Guide
No ratings yet
1-3-First-Time-Login-Guide Guide
6 pages
DdeForExcelApiGettingStarted PDF
No ratings yet
DdeForExcelApiGettingStarted PDF
106 pages
Musht Have - WordPress-Brute-Force-Attacks-Guide-2022
No ratings yet
Musht Have - WordPress-Brute-Force-Attacks-Guide-2022
7 pages
Internet Based Fully Automated Online Trading System Trade Management System User Manual
No ratings yet
Internet Based Fully Automated Online Trading System Trade Management System User Manual
112 pages
iVMS 4200 User Manual PDF
No ratings yet
iVMS 4200 User Manual PDF
83 pages
The Indoor Unit of The RTN: Web LCT Configuration - Logging in To An NE
No ratings yet
The Indoor Unit of The RTN: Web LCT Configuration - Logging in To An NE
12 pages
Mahindra Thar Auction User Agreement
No ratings yet
Mahindra Thar Auction User Agreement
19 pages
SRS For Internet Lab Management System Prepared by Group 6
33% (3)
SRS For Internet Lab Management System Prepared by Group 6
11 pages
Vodafone - Idea - LTD - EGM - Notice - DTD - 22 - June - 2022 02
No ratings yet
Vodafone - Idea - LTD - EGM - Notice - DTD - 22 - June - 2022 02
20 pages
Plagiarism Detection System
No ratings yet
Plagiarism Detection System
81 pages
Install Microsoft Office Windows or Mac
No ratings yet
Install Microsoft Office Windows or Mac
3 pages
Software Testing Tools
No ratings yet
Software Testing Tools
47 pages
Card Key Manual
No ratings yet
Card Key Manual
8 pages
DataCAD 22 Softlock
No ratings yet
DataCAD 22 Softlock
9 pages
User Guide (Merchant) Mobile Money Online Platform: PRMTN160104
No ratings yet
User Guide (Merchant) Mobile Money Online Platform: PRMTN160104
17 pages
GVM-on-Kali
No ratings yet
GVM-on-Kali
15 pages
SSO Demantra OAM Integrated Without EBS
No ratings yet
SSO Demantra OAM Integrated Without EBS
7 pages
ACM5 Manual 1.70.1 en
No ratings yet
ACM5 Manual 1.70.1 en
189 pages
Configuracion Motorola
No ratings yet
Configuracion Motorola
3 pages
Quidway S3000-EI Series Ethernet Switches Operation Manual (V1.04)
No ratings yet
Quidway S3000-EI Series Ethernet Switches Operation Manual (V1.04)
383 pages
Technical Specification - OnDevice - OttSupplementaryActionService - Netflix
No ratings yet
Technical Specification - OnDevice - OttSupplementaryActionService - Netflix
12 pages