Hello @Antonio Macia
The flows received by Cisco Catalyst Center and Cisco SNA differ in their scope and purpose.
Catalyst Center is configured as a NetFlow collector for AVC and focuses on providing granular visibility into application performance and behavior. It collects detailed NetFlow/IPFIX records, including source and destination IPs, ports, and protocols, as well as metadata like application classifications from NBAR2. Additionally, it gathers performance metrics such as latency/jitter, enabling network operators to monitor application health and enforce application-specific policies.
In contrast, SNA configured as a destination for Encrypted Traffic Analytics ("ET-Analytics") is purpose-built for analyzing encrypted traffic behavior and detecting encrypted threats. The flows exported for ET-Analytics focus on metadata specific to encrypted sessions, such as initial packet details, sequence of packet lengths and time and TLS handshake information like cipher suites and server certificate details. This data is specialized for identifying anomalies and malicious behavior in encrypted traffic without the need for decryption. However, it lacks broader flow details that traditional NetFlow provides, such as application-layer visibility and performance metrics...
When SNA is used as the flow exporter destination in a traditional deployment, it receives comprehensive NetFlow/IPFIX records, offering visibility into all network traffic, including encrypted and unencrypted flows. However, when configured for ET-Analytics only, SNA receives reduced flow data focused solely on encrypted traffic behavior. This approach omits standard NetFlow information, including detailed application metadata, granular flow statistics, and contextual insights into non-encrypted traffic. As a result, ET-Analytics is highly specialized but not as versatile for general network monitoring.
Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.
