I am trying to make sure I got the right config.
looking at this
I was looking at the 9300 config and it shows that netflow is enabled both inbound and outbound, and it was only enabled on uplink interface.
1) are the right fields in that documents and still accurate ?
2) almost all sample configs only show netflow enabled on the inbound - do we need to enable input/output ?
3) if I have a 9300 layer2 switch - can I enabled netflow on all switch ports and also enable ETA on all those interfaces ? Potential performance issues ? the sample showed enabling netflow on uplink interface and only enabling ETA on the access interface ?
description Uplink Interface
ip flow monitor ETA-FLOWMONITOR input
ip flow monitor ETA-FLOWMONITOR output
ip flow-export destination <dest ip address> 2055
interface gigabitEthernet 1/0/2
description access layer interface
switchport access vlan 5
I found this in the docs:
Flexible NetFlow monitor can be applied on the same interface that has ETA enabled, only if the other flow monitor has the same 5-tuple in the match field. So, Flexible NetFlow with only limited set of match attributes is supported.
I wish if this was more clear :) so what are best practices on what interfaces we enable netflow vs ETA ? and what is the downside of not having the extended attributes
I've found that the best references regarding configuring Encrypted Traffic Analytics (ETA) are:
There are design and deployment decisions that have to be made when deploying ETA on your network infrastructure. ETA meta data represents new NetFlow / IPFIX meta data that is generated by new process running on devices where it is deployed. ETA runs in this new process because it can be deployed on a variety of hardware (physical and virtual) with from as little as 2 Ethernet interfaces (where it would have little impact) to as many as 48 ports where it may have a significant impact depending on how it is designed and deployed.
thx Brian .. I did find that document after I put my post, but its still doesn't answer all my questions and it doesn't talk about where to put FNF only and ETA. it does have some pointers.
Mine is a very small deployment about 6 sites each with their own internet breakout 44xx router and a VPN mesh between the sites. Each site has a core 9300 and edge 9300 that connect to the 44xx ISR.
My thoughts are that I could have full blown FNF on all the 9300 switch ports to gather and east-west traffic or port scans etc, and then only enable ETA/FNF on the ISR inside interface of each site ?
Does that look good ? looking for others who have done this. Any gotchas ?