10
Design
Requirements
This section provides you with high level guidance for deciding where to deploy both ETA and FNF in your traditional, non-
fabric, campus and routed WAN infrastructures. This Cisco design guide has also been updated to include IOS-XE 16.9.2 and
Stealthwatch 6.10 or 7.0 as the recommended releases of software when implementing ETA and Flexible NetFlow in your
environment.
For in-depth design guidance for ETA, please refer to the ETA Design Guide for further information.
Campus Wired
In campus networks, prior to the introduction of ETA, NetFlow monitoring of wired traffic was typically configured on any
combination of access ports, access switch uplinks to distribution, or distribution switches. Often, NetFlow would be
configured at either the distribution layer of the network or at the uplink ports from the access layer switches, providing a
distributed and scalable means of monitoring traffic entering or leaving the access switch.
Starting with Cisco IOS XE 16.6.2 on the Cisco Catalyst 9300 and 9400 Series Switches licensed for DNA Advantage, ETA was
introduced and additional data elements such as the IDP and SPLT in encrypted communications began to be exported in
ETA records, enabling analysis of these data elements for the purpose of performing a crypto audit and/or malware
detection. Although ETA is supported in IOS-XE 16.6.2 and later, we only recommend the use of 16.9.2 or later due to
scalability enhancements introduced in that release.
With the introduction of ETA support on the Catalyst 9300 and 9400 switches in the network, the strategy as to where to
configure ETA and flexible NetFlow will change. Encrypted Traffic Analytics should be considered to be an access layer
technology and be configured as close as possible to the wired endpoints. The primary reason for this is twofold, timestamps
of traffic derived for use in the SPLT, and support of any intra-switch (East/West) traffic. With wired traffic, the
recommendation therefore is to configure both ETA and flexible NetFlow on the access ports of the switch.
Only the Catalyst 9300 and 9400 access switches support ETA. The Catalyst 9500 and 9600 switches do not
support ETA regardless of where they are deployed in the network.
Campus Wireless
An in depth discussion of monitoring campus wireless traffic is beyond the scope of this document at this time. Monitoring
of wireless traffic in a centralized (WLC local mode) deployment, as discussed earlier, is possible when deploying a Catalyst
9800 series wireless controller running IOS-XE 16.10.1 or greater. Additionally, the wireless traffic could be redirected to a
Cisco Stealthwatch Flow Sensor running version 7.1 via SPAN or tap from/at the switch to which the controller is attached,
and the flow sensor can then export both ETA and FNF data.
AireOS based 2500, 5500 and 8500 series wireless controllers do not support ETA and hence a Stealthwatch
v7.1 flow sensor would be required.
For FlexConnect deployments, if the wireless access points are connected to a Catalyst 9300 or 9400 switch, ETA can be
configured on the respective trunk or access ports the FlexConnect APs are attached to. As all wireless data traffic egresses
the AP into the wired network at the switch port, only that port needs to be configured for ETA and FNF monitoring.