As many of you may already know, we do a ‘live workshop’ as a companion to every TechWiseTV episode we release.  These workshops are NOT using video at all..but they do feature a solid hour of demos, explanations and two-way Q&A with some of the best engineers in Cisco.

The recent show we did on router security, “Intelligent Threat Defense at the Network Edge” featured two security technologies that continue to impress: Umbrella, from the OpenDNS acquisition (itself featured in an earlier episode), and Stealthwatch.

Many of us relied on Lancope’s Stealthwatch product, and their Network Based Anomaly Detection capabilities, well before Cisco finally acquired them. But this acquisition also allowed for a deeper level of integration with an internally developed Cisco project.  The general ideas was to use machine learning to detect anomalies in a branch network router as opposed to stretching it across a large enterprise network. These teams have since combined their expertise and are now working towards integrating these macro and micro level views together in the Cisco Stealthwatch anomaly detection product family.

That storyline and the power it brings to the monitoring and analysis many of us struggle with, was front and center for yesterday’s live workshop.

Brian Ford, Sukrit Dasgupta and additional members of their team, handled the onslaught of great questions as we continued to demonstrate the Stealthwatch Learning Network License.

The workshop plus this Q&A below should give you a great understanding of what is possible here.

Get an inside look at how Stealthwatch Learning Network License can transform your branch network router into a powerful security sensor and enforcer: one capable of quickly detecting threat activity and mitigating attacks, with little to no hands-on management needed.


Are there any additional enhancements required for the router such as memory or a specific module?  

Hi Tom, yes it does require more memory and optionally a hard drive, Brian will share more details towards the end of the call.

Is this compatible with Cisco iWAN?

Technically it is compatible with iWAN, we are currently undergoing details performance characterization with iWAN to quantify the points of compatibility.

SLN is a lightweight solution in terms of memory and HD is optional?

Yes we are lightweight . We need the ISR 4K to only have the 8G Mem option installed. We then use all of IOS Infrastructure you already own to run our Agent . In addition the ISR 4K CiscoOne Bundles now all ship with the 8G Mem as the default

Is this supported in an iWAN design that’s also running ISR-WAAS already running in a container on the ISR 4K router?

If you were to run WAAS and SLN on same ISR 4K we recommend you run WAASv on the UCS blade as it is much higher  resources utilization for HD and Memory and SLN in Container

Are the policies managed from centralized system?

The Learning Agent does this.  It observes and learns about the network in the ISR.  After a short training period it generates reports about anomalies.   You compare that data against policies at the SLN Manager.

Do the agents automatically download updated policies?

The Agents are constantly learning and save a backup copy of their state at the Learning Manager. We have a script run at the Manager to update agent code on ISRs.

SLN requires extra hardware, software and license. Right?

Sort of.  SLN is a smart licensed product.  It requires the IOS-XE AppX license.  It does require a minimum of 8Gb of RAM in the ISR.

Could you send Cisco link for this ISR 4K CiscoOne?

www.cisco.com/go/stealthwatch   We currently do not have a CiscoOne package offering for SLN (yet). To be clear ISR 4K Cisoc One Bundles  do support SLN now , but they do not  include the license , you simply add it  This link has all the ISR Cisco One Bundles, the ISR 4K are in Table 4

Do we have the ability to plug into OpenDNS investigate for anomalous IP’s ?

We are developing the capability to pivot from the SLN Manager to OpenDNS Umbrella to investigate.  The pivot is currently implemented in Stealthwatch SMC. The feed-back from OpenDNS could be used by the Machine Learning algorithm to increase degree of anomaly (if OpenDNS reports an IP address as suspicious for example).

Is this compatible with iWAN (dmvpn/waas/PfR/AppNav) and zone based firewall?

So we are working through testing SLN with different IWAN configurations.  We have reached out to customers for config samples.  We expect to publish early next year.  So far no show stoppers.

Does this ISR container require any router modules?  (storage? E-Series blade, NIM of any sort?)

No.  None required.  We can use the NIM-SSD if installed for extra storage (think pcaps).  

Will this run on a 4331?

the 4331 will be supported Dec 1st a few weeks out

Is this technology usable with the ASA5520 and existing 6800 routers?

Jeff, at this point it is not

Just in case you missed the links…

Thank you for watching…listening…questioning…keep it up!

Robb Boyd

Twitter: @robbboyd


P.S. I have a ton of respect for Brian Ford’s skills and I was able to record a great conversation we had about his background with Cisco, Lancope, and a few personal goodies.



Robb Boyd

Producer, Writer, Host