Re: ETA with 9300 switch configuration SW 7.1

tomalexis · ‎01-19-2020

I am trying to make sure I got the right config.

looking at this

https://www.cisco.com/c/dam/en/us/td/docs/security/stealthwatch/netflow/config-trouble-netflow-stealth.pdf

I was looking at the 9300 config and it shows that netflow is enabled both inbound and outbound, and it was only enabled on uplink interface.

Question:

1) are the right fields in that documents and still accurate ?

2) almost all sample configs only show netflow enabled on the inbound - do we need to enable input/output ?

3) if I have a 9300 layer2 switch - can I enabled netflow on all switch ports and also enable ETA on all those interfaces ? Potential performance issues ? the sample showed enabling netflow on uplink interface and only enabling ETA on the access interface ?

interface GigabitEthernet1/0/1
description Uplink Interface
no switchport
ip flow monitor ETA-FLOWMONITOR input
ip flow monitor ETA-FLOWMONITOR output
!

et-analytics
ip flow-export destination <dest ip address> 2055
!

interface gigabitEthernet 1/0/2
description access layer interface
switchport
switchport access vlan 5
et-analytics enable

Update:

I found this in the docs:

Flexible NetFlow monitor can be applied on the same interface that has ETA enabled, only if the other flow monitor has the same 5-tuple in the match field. So, Flexible NetFlow with only limited set of match attributes is supported.

I wish if this was more clear :) so what are best practices on what interfaces we enable netflow vs ETA ? and what is the downside of not having the extended attributes

brford · ‎01-20-2020

I've found that the best references regarding configuring Encrypted Traffic Analytics (ETA) are:

the ETA White Paper (https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf )

and the

the Design Guide (https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/eta-design-guide-2019oct.pdf )

There are design and deployment decisions that have to be made when deploying ETA on your network infrastructure. ETA meta data represents new NetFlow / IPFIX meta data that is generated by new process running on devices where it is deployed. ETA runs in this new process because it can be deployed on a variety of hardware (physical and virtual) with from as little as 2 Ethernet interfaces (where it would have little impact) to as many as 48 ports where it may have a significant impact depending on how it is designed and deployed.

Brian Ford | brford@cisco.com | brford@yahoo.com | 51 75 61 6c 69 74 79 20 6d 65 61 6e 73 20 64 6f 69 6e 67 20 69 74 20 72 69 67 68 74 20 77 68 65 6e 20 6e 6f 20 6f 6e 65 20 69 73 20 6c 6f 6f 6b 69 6e 67 2e | Email me when you figure this out.

tomalexis · ‎01-20-2020

thx Brian .. I did find that document after I put my post, but its still doesn't answer all my questions and it doesn't talk about where to put FNF only and ETA. it does have some pointers.

Mine is a very small deployment about 6 sites each with their own internet breakout 44xx router and a VPN mesh between the sites. Each site has a core 9300 and edge 9300 that connect to the 44xx ISR.

My thoughts are that I could have full blown FNF on all the 9300 switch ports to gather and east-west traffic or port scans etc, and then only enable ETA/FNF on the ISR inside interface of each site ?

Does that look good ? looking for others who have done this. Any gotchas ?