tetration overview - clnv.s3.amazonaws.com · architecture overview data collection software sensor...
TRANSCRIPT
Tetration Overview
Mike Herbert
PSOACI-4591
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#PSOACI-4591
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4PSOACI-4591
ACI, UCS (Intent
Based Automation)
Network
Assurance
Engine
(Formal
Methodologies)
Tetration Platform(Machine Learning Based Operations
and Security)
Guarantees
Compliance
Consistency
Infrastructure
Automation
Security
ADM
Security
Forensics
Application
Deployment
Cisco
CloudCenter(Common
Consumption across
Hybrid IT)
Inter-dependent
feedback loops
1. Deployment and
Provisioning
2. Operations and
Management
Data Center VisionIntent Based Infrastructure
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 5PSOACI-4591
Traditional Monitoring Is Showing Its AgeNot suited for Modern Network and Security Operations
Where Data Is Created Where Data Is Useful
Non
Real
time
SNMP
CLI
Syslog
SNMP
CLI
Syslog
SNMP
Server
Syslog
Collector
Scripts
Storage & Analysis
Strong burden on
back-end
Normalize different
encodings, transports, data
models, timestamps
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
One Minute SNMP Polling
Telemetry – 10 Second PushSNMP – 1 Minute Polling
PSOACI-4591 6
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
10 Second SW Process Push
Telemetry – 10 Second Push
PSOACI-4591 7
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicPSOACI-4591
Sub Second Push
8
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Granularity Needs to Improve
On-Change <= 1 sec ~10s sec ~minutes-hours
Resolution = Frequency of Data Collection
Microburst Detection Traffic Engineering
Capacity Planning
Troubleshooting & Remediation (Self Driving)
Security and Policy Enforcement
ADM
Service Level Monitoring
Workload Placement
PSOACI-4591 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 10PSOACI-4591
Cisco Tetration Platform
Application Insight
Process Inventory
Visibility andForensics
Cisco Tetration Platform
Foundation
Segmentation
Operations
White-list Policy
PolicyCompliance
Application Segmentation
Neighborhood Graphs
Network and TCP
Performance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 11PSOACI-4591
Architecture Overview
Data Collection
Software Sensor and
Enforcement
Embedded
Network Sensors(Telemetry Only)
Third Party Sources(Configuration Data)
Analytics Engine
Cisco
Tetration
Analytics
Cluster
Open Access
Web GUI
REST API
Event Notification
Tetration Apps
Self Managed Cluster
One Touch Deployment
Easy Integration via Open interfaces
Open Data Lake (via Tetration Apps)
No Hadoop / Data Science Background Needed
No External Storage Needed
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12PSOACI-4591
Data Sources
Low CPU Overhead (SLA enforced)
Low Network Overhead (SLA enforced)
Enforcement Point (Software agents)
Highly Secure (Code Signed, Authenticated)
Every Flow (No sampling), NO PAYLOAD
*Note: No per-packet Telemetry, Not an enforcement point
Software Sensors
Universal*(Basic Sensor for other OS)
Linux VM
Windows Server VM
Bare Metal(Linux and Windows Server)
Available Now
Third Party Sources
Asset Tagging
Load Balancers
IP Address Management
CMDB
…
3rd party Data Sources
Nexus 9200-X
Nexus 9300-EX
Network SensorsNext Generation 9K switches
Nexus 9300-FX
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 13PSOACI-4591
Cisco Tetration: Bring your own data
Main features
• Stream any JSON-based telemetry to a data sink• Support up to 10 simultaneous streaming topics
• Bring up to 5 GB of data per hour per streaming topic• Analyze and write your results through alerts or UI
Northbound consumers
Datasink
Public Cloud
Streaming JSON telemetry
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 14PSOACI-4591
And if that is not enough – ERSPAN can fill in the gaps
• Dedicated virtual machines on each host with 3 software sensors in each virtual machine
• Each sensor binds to a separate vNIC
• ERSPAN terminates on the virtual machine vNIC
• Each sensor terminates one ERSPAN session
• Sensor generates telemetry based on the data-plane traffic
• Horizontally scalable
Layer 3 connection
ERSPAN
Layer 3 switch
Expanded telemetry collection option
• Augment telemetry from other parts of the network
• Useful when software sensor or hardware sensor is not feasible
Cisco Tetration telemetry
Cisco Tetration Platform
Production network
Production network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15PSOACI-4591
Deployment Options (customer managed)
Cisco Tetration Cloud
• Software deployed in public cloud
• Suitable for deployments of less than 1000 workloads
• Public cloud instance ownedby customer
Cisco Tetration™ platform (large form factor)
• Suitable for deployments of more than 5000 workloads
• Built-in redundancy
• Scales to up to 25,000workloads
Includes:
• 36 Cisco UCS® C220 servers
• 3 Cisco Nexus® 9300 platform switches
Cisco Tetration-M (small form factor)
• Suitable for deployments of less than 5000 workloads
Includes:
• 6 Cisco UCS C220 servers
• 2 Cisco Nexus 9300platform switches
AmazonWeb Services
Hardware Options Public cloud
MicrosoftAzure
Software Only Option
Cisco Tetration Software only option
• Suitable for deployments of less than 1000 workloads
• Published hardware requirements
• Supported in VMWare ESXi based environment
Coming in Q2CY18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 16PSOACI-4591
Deployment Options (Cisco managed)
Cisco Tetration™ as a Service
• Software as a Service model: no need to purchase, install and manage hardware or software
• Fully managed and operated by Cisco
• Suitable for commercial customers and SaaS-first/SaaS-only customers
• Flexible pricing model, lower barrier to entry
• Quick turn up
• Scales to up to 25,000 workloads
Cisco Tetration as a Service
Coming in Q2CY18
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17PSOACI-4591
What is really running in my Data Center?Cisco Tetration Analytics application insight dependency map
Use Cisco
TetrationAnalytics™
to discover, monitor,
troubleshoot and secure
based on what you really
have
Security
Dependencies
Application
Service offering
Service
Service category
(Service owner)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 18PSOACI-4591
Application dependency and cluster grouping
Bare-metal, VM,and switchtelemetry
Cisco Tetration Analytics™ platform
Unsupervised machine learning
Behavior analysis
On-premises and cloud workloads (AWS)
Bare-metal and
VM telemetry
VM telemetry (AMI …)
BM VM
BMVM
VM BM
BMVM
BM
VM BM
VMVM
Bare metal and VM
BM VM VM BM
Brownfield
BM VM VM BM
Network-only sensors, host-only sensors, or both (preferred)
BM VM VM VM BM
Cisco Nexus® 9000 Series
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 19PSOACI-4591
Application Workspaces
Oracle - DevPrimaryOracle - Prod
Interfaces
Expose
Oracle VIP
Expose DNS VIP
PrimaryDNS
PrimaryHRMS - Prod
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20PSOACI-4591
Why this approach is different
Policy information generated based on the data-plane information
Flexibility to define policies beyond IP addresses
Organization structure taken into account for policy generation
Align application policy to match corporate business policies
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Vis
ibili
ty
21PSOACI-4591
Cisco Tetration PlatformApplication and Network performance and visibility use cases
Op
era
tio
ns
Cisco Tetration™ Platform
Visibility and
forensics
Application
insight
Network and TCP
performance
Process
inventory
Neighborhood
graphs
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22PSOACI-4591
What Do We Mean by “Application and Network”? Correlation of Enforcement and Telemetry
• Cisco Tetration and ACI are designed to provide complementary visibility, security and operations
• Tetration platform provides network performance monitoring functionalities in Cisco ACI™ mode
• Following Cisco Nexus® 9000 series
hardware is required:
• Cisco Nexus 9300-FX based leaf switches
• Cisco Nexus 9500 series spine switches with
N9K-X9736C-FX line cards
• These functionalities require Cisco ACI
release 3.1 or later
Cisco Tetration
Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22PSOACI-4591
What Do We Mean by “Application and Network”? Correlation of Enforcement and Telemetry
• Cisco Tetration and ACI are designed to provide complementary visibility, security and operations
• Tetration platform provides network performance monitoring functionalities in Cisco ACI™ mode
• Following Cisco Nexus® 9000 series
hardware is required:
• Cisco Nexus 9300-FX based leaf switches
• Cisco Nexus 9500 series spine switches with
N9K-X9736C-FX line cards
• These functionalities require Cisco ACI
release 3.1 or later
Cisco Tetration
Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22PSOACI-4591
What Do We Mean by “Application and Network”? Correlation of Enforcement and Telemetry
• Cisco Tetration and ACI are designed to provide complementary visibility, security and operations
• Tetration platform provides network performance monitoring functionalities in Cisco ACI™ mode
• Following Cisco Nexus® 9000 series
hardware is required:
• Cisco Nexus 9300-FX based leaf switches
• Cisco Nexus 9500 series spine switches with
N9K-X9736C-FX line cards
• These functionalities require Cisco ACI
release 3.1 or later
Cisco Tetration
Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 25PSOACI-4591
What Do We Mean by “Application and Network”? Correlation with the view from the Server
Process
Inventory
Process
details
Flow Inventory
Flow details
Cisco Tetration
Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26PSOACI-4591
What Do We Mean by “Application and Network”? Correlation with the view from the Server
Process
Inventory
Process
details
Flow Inventory
Flow details
Cisco Tetration
Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 27PSOACI-4591
Diagnosing TCP and Full Flow Details
Process
details
Flow detailsTCP
Retransmission
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28PSOACI-4591
Objective: View of Application as Related to InfrastructureMulti-Domain View
Public Cloud
vPod
HypervisorService VM
HypervisorService VM
HypervisorService VM
Infrastructure
Administration
Application
Owner,
Administrator,
…
Consistent Governance
Cisco Tetration
Analytics™
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29PSOACI-4591
Segmentation Policy: Express Policies in Human Language
Development can’t talk to production
• Cisco Tetration knows who is production
• Cisco Tetration knows who is development
• Policies are continuously updated as applications change
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30PSOACI-4591
Allow computers to perform the heavy liftingTetration automatically converts your intent into blacklist and whitelist rules
Intent Rules
Block nonproduction applications from talking to production applications
SOURCE 10.0.0.0/8 DEST 128.0.0.0/8
Allow HR applications to use the employee database
SOURCE 128.0.10.0/24 DEST 128.0.11.0/24
Block all HTTP connections that are not destined for web servers
SOURCE * DEST 128.0.100.0/24 PORT = 80
SOURCE * DEST * PORT = 80
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 31PSOACI-4591
Multiple Teams can share Policy Management
• Application owners need some amount of autonomy to make application-level changes quickly
• Security and network teams need to control the global aspects of application interconnection and shared services
• Cisco Tetration flattens intent in a deterministic order, prioritizing intent of higher-authority users over intent of application owners
Security team rules
Network team rules
Application owner rules
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 32PSOACI-4591
The App Security Edge moves with the Application
Azure Amazon
Cisco Tetration Analytics
1. Generates unique policy per workload
2. Pushes policy to all workloads
3. Workload securely enforces policy
4. Continuously computes policy from identity and classification changes
Enforcement
VirtualBare metal Cisco ACITMPublic cloud Traditional network
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33PSOACI-4591
Enforcement across the Systems, ACI and Tetration
Cisco TetrationAnalytics
Northbound REST Interface
• Use Tetration ADM to create ACI compatible
Policy*
• Assign Tetration policy elements to ACI
policy elements
• Understand the impact (TCAM) of policy
• Provide optimizations to efficiently fit policy
in fabric
Tetration ACI App
Cisco Tetration Analytics
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 34PSOACI-4591
Using data provided by Tetration, TCAM usage can be optimized
For a large deployment
Applying generalization to Top 5 policy groups
Results in 160K 78%
TCAM saving
• Adjust the policy enforcement mechanism based on TCAM utilization
• Enforce as-is• Enforce outgoing connection as-is
(incoming will be generalized)• Enforce incoming as-is
(outgoing will be generalized)• Generalize enforcement in both directions
• Visualize TCAM impact on associated leaf switches
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 35PSOACI-4591
Cisco Tetration Analytics: Open API
Rest API
• Cisco Tetrationflow search
• Sensor management
Push notification
• Out-of-the-box events
• User-defined events
Cisco Tetration applications
• Access to data lake
• Write yourown application
Northbound application
Programmatic interface
Rest API
Kafka broker
Northbound consumers
Northbound consumers
Message publish
Cisco Tetration Analytics™platform
Kafka
Cisco Tetration™applications
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36PSOACI-4591
Platform built for scale and flexibility
OpenReal time and scalableHolistic workload
protectionEasy to use
• Every packet, every flow
• Application segmentation for 1000s of applications
• Extends visibility to process and software packages
• Long term data retention
• Consistent application segmentation
• Any workload, anywhere
• Process behavior deviations
• Software package vulnerability
• One touch deployment
• Self monitoring
• Self diagnostics
• Standard web UI
• REST API (pull)
• Event notification (push)
• Tetration applications
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#PSOACI-4591
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Continue Your Education
• Demos in the Cisco campus
• Walk-in Self-Paced Labs
• Lunch & Learn
• Meet the Engineer 1:1 meetings
• Related sessions
39PSOACI-4591
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Want more information?
• Tetration Analytics - Network Analytics & Machine Learning Enhancing Data Center Security and Operations [BRKACI-2040]
• Yesterday 2h15 PM (sorry – it will be available online)
• Inside Cisco IT: ACI & Tetration Analytics [BRKCOC-2006]
• Friday 11h30AM
• Tetration overview [PSOACI-4591]
• Today 1PM (sorry – it will be available online)
• Customer Data Center Insights using Tetration [BRKACI-2509]
• Friday 11h30AM
• Exploring Tetration APIs [DEVNET-1722]
• Thursday 5pm
• Technical seminar for Tetration analytics [TECDCT-1757]
• Yesterday (sorry – it will be available online)
40PSOACI-4591
Thank you