ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
481
Views
0
Helpful
2
Replies
Highlighted
Beginner

ETA with 9300 switch configuration SW 7.1

I am trying to make sure I got the right config.

looking at this

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf

I was looking at the 9300 config and it shows that netflow is enabled both inbound and outbound, and it was only enabled on uplink interface.

 

Question:

1) are the right fields in that documents and still accurate ?

2) almost all sample configs only show netflow enabled on the inbound - do we need to enable input/output ?

3) if I have a 9300 layer2 switch - can I enabled netflow on all switch ports and also enable ETA on all those interfaces  ? Potential performance issues ?  the sample showed enabling netflow on uplink interface and only enabling ETA on the access interface ?

 

 interface GigabitEthernet1/0/1
 description Uplink Interface
 no switchport
 ip flow monitor ETA-FLOWMONITOR input
 ip flow monitor ETA-FLOWMONITOR output
!
 
et-analytics
 ip flow-export destination <dest ip address> 2055
!
 
 
interface gigabitEthernet 1/0/2
 description access layer interface
 switchport
 switchport access vlan 5
 et-analytics enable

 

 

Update:

 I found this in the docs:

Flexible NetFlow monitor can be applied on the same interface that has ETA enabled, only if the other flow monitor has the same 5-tuple in the match field. So, Flexible NetFlow with only limited set of match attributes is supported.

 

I wish if this was more clear :) so what are best practices on what interfaces we enable netflow vs ETA ? and what is the downside of not having the extended attributes

2 REPLIES 2
Highlighted
Cisco Employee

Re: ETA with 9300 switch configuration SW 7.1

I've found that the best references regarding configuring Encrypted Traffic Analytics (ETA) are:

 

the ETA White Paper (https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf )

 

and the 

 

the Design Guide (https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/eta-design-guide-2019oct.pdf )  

 

There are design and deployment decisions that have to be made when deploying ETA on your network infrastructure.  ETA meta data represents new NetFlow / IPFIX meta data that is generated by new process running on devices where it is deployed.  ETA runs in this new process because it can be deployed on a variety of hardware (physical and virtual) with from as little as 2 Ethernet interfaces (where it would have little impact) to as many as 48 ports where it may have a significant impact depending on how it is designed and deployed.   

 

 

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.
Highlighted
Beginner

Re: ETA with 9300 switch configuration SW 7.1

thx Brian .. I did find that document after I put my post, but its still doesn't answer all my questions and it doesn't talk about where to put FNF only and ETA. it does have some pointers.

Mine is a very small deployment about 6 sites each with their own internet breakout 44xx router and a VPN mesh between the sites. Each site has a core 9300 and edge 9300 that connect to the 44xx ISR.

My thoughts are that I could have full blown FNF on all the 9300 switch ports to gather and east-west traffic or port scans etc, and then only enable ETA/FNF on the ISR inside interface of each site ?

Does that look good ? looking for others who have done this. Any gotchas ?