ā01-19-2020 02:22 PM - edited ā01-19-2020 11:55 PM
I am trying to make sure I got the right config.
looking at this
I was looking at the 9300 config and it shows that netflow is enabled both inbound and outbound, and it was only enabled on uplink interface.
Question:
1) are the right fields in that documents and still accurate ?
2) almost all sample configs only show netflow enabled on the inbound - do we need to enable input/output ?
3) if I have a 9300 layer2 switch - can I enabled netflow on all switch ports and also enable ETA on all those interfaces ? Potential performance issues ? the sample showed enabling netflow on uplink interface and only enabling ETA on the access interface ?
interface GigabitEthernet1/0/1
description Uplink Interface
no switchport
ip flow monitor ETA-FLOWMONITOR input
ip flow monitor ETA-FLOWMONITOR output
!
et-analytics
ip flow-export destination <dest ip address> 2055
!
interface gigabitEthernet 1/0/2
description access layer interface
switchport
switchport access vlan 5
et-analytics enable
Update:
I found this in the docs:
Flexible NetFlow monitor can be applied on the same interface that has ETA enabled, only if the other flow monitor has the same 5-tuple in the match field. So, Flexible NetFlow with only limited set of match attributes is supported.
I wish if this was more clear :) so what are best practices on what interfaces we enable netflow vs ETA ? and what is the downside of not having the extended attributes
ā01-20-2020 10:14 AM
I've found that the best references regarding configuring Encrypted Traffic Analytics (ETA) are:
the ETA White Paper (https://www.cisco.com/c/dam/en/us/solutions/collateral/enterprise-networks/enterprise-network-security/nb-09-encrytd-traf-anlytcs-wp-cte-en.pdf )
and the
the Design Guide (https://www.cisco.com/c/dam/en/us/td/docs/solutions/CVD/Campus/eta-design-guide-2019oct.pdf )
There are design and deployment decisions that have to be made when deploying ETA on your network infrastructure. ETA meta data represents new NetFlow / IPFIX meta data that is generated by new process running on devices where it is deployed. ETA runs in this new process because it can be deployed on a variety of hardware (physical and virtual) with from as little as 2 Ethernet interfaces (where it would have little impact) to as many as 48 ports where it may have a significant impact depending on how it is designed and deployed.
ā01-20-2020 04:55 PM
thx Brian .. I did find that document after I put my post, but its still doesn't answer all my questions and it doesn't talk about where to put FNF only and ETA. it does have some pointers.
Mine is a very small deployment about 6 sites each with their own internet breakout 44xx router and a VPN mesh between the sites. Each site has a core 9300 and edge 9300 that connect to the 44xx ISR.
My thoughts are that I could have full blown FNF on all the 9300 switch ports to gather and east-west traffic or port scans etc, and then only enable ETA/FNF on the ISR inside interface of each site ?
Does that look good ? looking for others who have done this. Any gotchas ?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide