ETA is supported only on access ports and wireless VLAN on SDA deployment. It is not supported on management, trunk, port-channel, SVI, and loopback interfaces.
ETA and transmit (Tx) Switched Port Analyzer (SPAN) is not supported on the same interface.
The following sections provide information about Encrypted Traffic Analytics.
Encrypted Traffic Analytics (ETA) uses machine learning on an application to determine the flow characteristics such as malware analysis and crypto audit.
Based on the flow-record associated with flow-monitor, the switch creates an exporter template that shows NetFlow records with derived collect fields. Along with the ETA data, FNF data for a corresponding flow is also exported.
ETA supports multiple templates for the configuration export. There is one template per ETA attribute and ETA sends individual attribute detail in each template during the export. Sequence of Packet Length and Times (SPLT) and Initial Data Packet (IDP) are stored in separate templates, which are used to generate NetFlow records. Both these NetFlow records are sent for a given application flow.
These templates are sent whenever the data is ready. This helps NetFlow collector to interpret data with correct attribute values. The exporter destination and port is going to be common for all interfaces and this value is provided in the global et-analytics configuration command. The scale number for ETA is 2000 flows per second.
This template export supports only one exporter IP address for an ETA flow-monitor. Multiple template export is supported for NetrFlow v9 version. from
The ETA information is exported only if any of the following two conditions are met.
If the data required is computed and the required number of packets are seen by the ETA collector.
If the established flow remains idle for a period configured as inactive timeout, the partial data will be exported.
 Note |
The configured inactive timer is applicable globally. Different ports cannot be configured with different values. |
The following sections provide information on how to configure Encrypted Traffic Analytics.
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 |
configure terminal Example: |
Enters the global configuration mode. |
| Step 3 |
et-analytics Example: |
Enters the global et-analytics configuration mode. |
| Step 4 |
ip flow-export destination destination_ip_address port Example: |
Configures the global collector destination IP address and port. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 |
configure terminal Example: |
Enters the global configuration mode. |
| Step 3 |
et-analytics Example: |
Enters the global et-analytics configuration mode. |
| Step 4 |
inactive time time in seconds Example: |
Configures the inactive timer value. The range is from 1 to 604800 and the default value is 15 seconds. |
| Command or Action | Purpose | |
|---|---|---|
| Step 1 |
enable Example: |
Enables privileged EXEC mode. Enter your password if prompted. |
| Step 2 |
configure terminal Example: |
Enters the global configuration mode. |
| Step 3 |
interface interface-id Example: |
Enters the interface configuration mode. |
| Step 4 |
et-analytics enable Example: |
Enables et-analytics on a particular interface. |
The following sections provide examples for configuring Encrypted Traffic Analytics.
This example shows how to configure a flow-exporter destination IP address of 10.1.1.1 and port 2055.
Device#config terminal
Device (config)#et-analytics
Device (config-et-analytics)#ip flow-export destination 10.1.1.1 2055 This example shows how to configure an inactive timer of 10 seconds.
Device#config terminal
Device (config)#et-analytics
Device (config-et-analytics)#inactive time 10This example shows how to enable et-analytics on interface GigabitEthernet1/0/2.
Device#config terminal
Device (config)#interface gi1/0/2
Device (config-if)#et-analytics enableThis example shows how to display global et-analytics configuration.
Device#show platform software et-analytics global
ET-Analytics Global state
=========================
All Interfaces : Off
IP Flow-record Destination: 172.26.202.123 : 2055
Inactive timer: 10
ET-Analytics interfaces
GigabitEthernet1/0/26
GigabitEthernet1/0/36
ET-Analytics VLANs
This example shows how to display interface et-analytics configuration.
Device#show platform software et-analytics interface
ET-Analytics interfaces
GigabitEthernet1/0/3
This example shows how to display ETA monitor cache output.
Device#show flow monitor etta-mon cache
Cache type: Normal (Platform cache)
Cache size: 10000
Current entries: 4
Flows added: 6
Flows aged: 2
- Inactive timeout ( 15 secs) 2
IPV4 DESTINATION ADDRESS: 15.15.15.35
IPV4 SOURCE ADDRESS: 72.163.128.140
IP PROTOCOL: 17
TRNS SOURCE PORT: 53
TRNS DESTINATION PORT: 12032
counter bytes long: 128
counter packets long: 1
timestamp abs first: 06:23:24.799
timestamp abs last: 06:23:24.799
interface input: Null
interface output: Null
| Related Topic | Document Title |
|---|---|
|
For complete syntax and usage information for the commands used in this chapter. |
Command Reference, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) |
|
Flexible NetFlow |
Network Management Configuration Guide, Cisco IOS XE Everest 16.6.x (Catalyst 9300 Switches) |
The following table provides release information about the feature or features described in this module. This table lists only the software release that introduced support for a given feature in a given software release train. Unless noted otherwise, subsequent releases of that software release train also support that feature.
| Release | Modification |
|---|---|
|
Cisco IOS XE Amsterdam 17.3.1 |
Support for interoperability of Application Visibility and Control and Encrypted Traffic Analytics on the same port was introduced. |
Feedback