https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3825146#M157 <P><BR />I have a few stealthwatch questions that I hope the community can help answer.</P><P><BR />For the Cat 9300s with ETA enabled, my current netflow config looks like this</P><P>flow record SW-RECORD<BR />match datalink mac source address input<BR />match datalink mac destination address input<BR />match datalink vlan input<BR />match ipv4 ttl<BR />match ipv4 tos<BR />match ipv4 protocol<BR />match ipv4 source address<BR />match ipv4 destination address<BR />match transport source-port<BR />match transport destination-port<BR />match interface input<BR />collect interface output<BR />collect counter bytes long<BR />collect counter packets long<BR />collect timestamp absolute first<BR />collect timestamp absolute last</P><P>&nbsp;</P><P>I believe the below is the correct config for 9300's with ETA enabled (correct me if I'm wrong)</P><P>match ipv4 protocol<BR />match ipv4 source address<BR />match ipv4 destination address<BR />match transport source-port<BR />match transport destination-port<BR />collect counter bytes long<BR />collect counter packets long<BR />collect timestamp absolute first<BR />collect timestamp absolute last</P><P>&nbsp;</P><P>My question is, what kind of issues can arise with the current configuration? Also, should ETA be enabled on ports that connect to cisco access points? I currently use vWLC</P> Sun, 24 Mar 2019 18:16:26 GMT virtualpedia 2019-03-24T18:16:26Z https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3825146#M157 <P><BR />I have a few stealthwatch questions that I hope the community can help answer.</P><P><BR />For the Cat 9300s with ETA enabled, my current netflow config looks like this</P><P>flow record SW-RECORD<BR />match datalink mac source address input<BR />match datalink mac destination address input<BR />match datalink vlan input<BR />match ipv4 ttl<BR />match ipv4 tos<BR />match ipv4 protocol<BR />match ipv4 source address<BR />match ipv4 destination address<BR />match transport source-port<BR />match transport destination-port<BR />match interface input<BR />collect interface output<BR />collect counter bytes long<BR />collect counter packets long<BR />collect timestamp absolute first<BR />collect timestamp absolute last</P><P>&nbsp;</P><P>I believe the below is the correct config for 9300's with ETA enabled (correct me if I'm wrong)</P><P>match ipv4 protocol<BR />match ipv4 source address<BR />match ipv4 destination address<BR />match transport source-port<BR />match transport destination-port<BR />collect counter bytes long<BR />collect counter packets long<BR />collect timestamp absolute first<BR />collect timestamp absolute last</P><P>&nbsp;</P><P>My question is, what kind of issues can arise with the current configuration? Also, should ETA be enabled on ports that connect to cisco access points? I currently use vWLC</P> Sun, 24 Mar 2019 18:16:26 GMT https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3825146#M157 virtualpedia 2019-03-24T18:16:26Z https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3828927#M158 <P>That's a good looking&nbsp; 9300 NetFlow for Stealthwatch config but it doesn't enable ETA.</P> <P>&nbsp;</P> <P>While Encrypted Traffic Analytics (ETA) currently uses Cisco NetFlow v9 as it's transport (export) protocol it is not enabled as part of the standard NetFlow configuration.&nbsp; You want to take a look at the 'et-analytics ...' commands in order to enable ETA processing and export.</P> <P>&nbsp;</P> <P>The ETA process on the 9300 is separate from the NetFlow process.&nbsp; ETA uses one of the available exporters; so if you configure NetFlow as you described and enable ETA your device will report 2 exporters.</P> <P>&nbsp;</P> <P>For the 9300 see:&nbsp;</P> <P><A href="https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/nmgmt/b_166_nmgmt_9300_cg/b_166_nmgmt_9300_cg_chapter_01000.pdf" target="_blank">https://www.cisco.com/c/en/us/td/docs/switches/lan/catalyst9300/software/release/16-6/configuration_guide/nmgmt/b_166_nmgmt_9300_cg/b_166_nmgmt_9300_cg_chapter_01000.pdf</A> </P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Fri, 29 Mar 2019 14:41:25 GMT https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3828927#M158 brford 2019-03-29T14:41:25Z https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3828939#M159 <P>Thanks for the reply.&nbsp; Yes, I have ETA already configured.&nbsp; My question was really what problem is created by using the first netflow configuration vs the second.&nbsp;</P><P>&nbsp;</P><P>I'm going with the second config as that is what is recommended by Cisco, but I was just curious</P> Fri, 29 Mar 2019 15:24:06 GMT https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3828939#M159 virtualpedia 2019-03-29T15:24:06Z https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3829193#M160 <P>OK.&nbsp; For this flow record to work with Cisco Stealthwatch (v6.10 or later) you'll need the following:</P> <P>&nbsp;</P> <P>match ipv4 proto</P> <P>match ipv4 source addr</P> <P>match ipv4 destination addr</P> <P>match transport source-port</P> <P>match transport destination-port</P> <P>match ipv4 tos</P> <P>collect interface out</P> <P>collect counter bytes</P> <P>collect counter packets</P> <P>collect timestamp sys-uptime first</P> <P>collect timestamp sys-uptime last</P> <P>&nbsp;</P> <P>These are REQUIRED flow record fields for Stealthwatch v6.10 and later.&nbsp;</P> <P>&nbsp;</P> <P>You can add the following optional data elements to that flow record:</P> <P>&nbsp;</P> <P>collect routing next-hop address ipv4 (used for closest interface determination)</P> <P>&nbsp;</P> <P>collectipv4 ttl minimum</P> <P>collect ipv4 ttl max (these two data elements are used to understand the path of the flow through the network)</P> <P>&nbsp;</P> <P>collect transport tcp flag (to gain more insight into TCP connections)&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Sat, 30 Mar 2019 00:39:36 GMT https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3829193#M160 brford 2019-03-30T00:39:36Z https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3829356#M161 <P>Hi&nbsp;<a href="https://community.cisco.com/t5/user/viewprofilepage/user-id/103393">@brford</a>&nbsp;</P><P>Appreciate the reply.&nbsp; There is where the configuration becomes confusing.</P><P>Per this guide, I see the configuration that you posted, which includes the required fields that you specified.</P><P><A href="https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf" target="_blank" rel="noopener">https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf</A></P><P>&nbsp;</P><P>However, also per this guide, if you scroll down, it shows the below, which was the tested configuration for Cat9K.</P><P><STRONG>Netflow with Encrypted Traffic Analytics (ETA) on Catalyst 9k example</STRONG><BR /><STRONG>When configuring ETA to work with Stealthwatch you will configure both a Flexible NetFlow Monitor (and enable ETA enhanced NetFlow export</STRONG><BR /><STRONG>(for the ETA specific fields). The below configuration was validated with IOS v16.6.2</STRONG></P><P>&nbsp;</P><P>flow record ETA-C9K-RECORD<BR />description Flow Record for ETA with Stealthwatch<BR />match ipv4 protocol<BR />match ipv4 source address<BR />match ipv4 destination address<BR />match transport source-port<BR />match transport destination-port<BR />collect counter bytes long<BR />collect counter packets long<BR />collect timestamp absolute first<BR />collect timestamp absolute last</P><P>&nbsp;</P><P>Should "match ipv4 tos" be included?</P> Sat, 30 Mar 2019 17:44:05 GMT https://community.cisco.com/t5/security-analytics/netflow-config-with-eta/m-p/3829356#M161 virtualpedia 2019-03-30T17:44:05Z