Creating a stack

Create a new physical QRadar® Network Packet Capture stack to increase the storage space that is available for your capture data.

Before you begin

Prepare your environment before you create the stack.
  • You can stack a maximum of 16 appliances, including the Stack Controller. The maximum physical cabling distance between any two appliances is ten meters.
  • Ensure that all appliances in the stack are running the same version of the QRadar Network Packet Capture software.
  • Ensure that all appliances are in a group. For more information, see Grouped appliances.
  • Connect the appliances to form a ring so that all appliances can communicate with each other. To see an example cabling diagram, see Stacking topology.
    Note: Routing and switching are not allowed. Only peer-to-peer connections are allowed.

Procedure

  1. On the Stack Controller, connect Port 2 to the switch or SPAN port that is being monitored; this is the TAP point.
  2. Optional. On the Stack Controller, connect Port 3 to a QRadar QNI appliance.
    Port 3 is used to retransmit all capture data to the QNI appliance. The data is retransmitted in a special format with a high-precision data capture timestamp embedded in the frame.
  3. On the Stack Nodes, connect port 0 and port 1 to form a ring.
    Note: For the Stack Nodes, Ports 2 and 3 must not be used.

Example

The following diagram shows a sample topology with a Stack Controller (Appliance A) and three Stack Nodes (Appliances B, C, and P).

The NT40E3-4 ports are connected by using ports 0 and 1 to form a ring.
  1. Appliance A, Port 0 connects to Appliance B, Port 1.
  2. Appliance B, Port 0 connects to Appliance C, Port 1.
  3. Appliance C, Port 0 connects to Appliance A, Port 1.
Figure 1. QRadar Network Packet Capture sample topology.
The stack controller is shown at the bottom of the diagram, with incoming capture data, and outgoing retransmitted capture data. The stack controller is interconnected to the stack nodes (there is a maximum of 16 nodes including the controller). The stack controller is also a stack node. Each stack node has a SmartNIC and database, and has a two way connection to the switch and management network.