tetration overview - clnv.s3.amazonaws.com · architecture overview data collection software sensor...

Tetration Overview

Mike Herbert

PSOACI-4591

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public

Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#PSOACI-4591

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 4PSOACI-4591

ACI, UCS (Intent

Based Automation)

Network

Assurance

Engine

(Formal

Methodologies)

Tetration Platform(Machine Learning Based Operations

and Security)

Guarantees

Compliance

Consistency

Infrastructure

Automation

Security

ADM

Security

Forensics

Application

Deployment

Cisco

CloudCenter(Common

Consumption across

Hybrid IT)

Inter-dependent

feedback loops

1. Deployment and

Provisioning

2. Operations and

Management

Data Center VisionIntent Based Infrastructure


Traditional Monitoring Is Showing Its AgeNot suited for Modern Network and Security Operations

Where Data Is Created Where Data Is Useful

Non

Real

time

SNMP

CLI

Syslog

SNMP

CLI

Syslog

SNMP

Server

Syslog

Collector

Scripts

Storage & Analysis

Strong burden on

back-end

Normalize different

encodings, transports, data

models, timestamps


One Minute SNMP Polling

Telemetry – 10 Second PushSNMP – 1 Minute Polling

PSOACI-4591 6


10 Second SW Process Push

Telemetry – 10 Second Push

PSOACI-4591 7

© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicPSOACI-4591

Sub Second Push

8


Data Granularity Needs to Improve

On-Change <= 1 sec ~10s sec ~minutes-hours

Resolution = Frequency of Data Collection

Microburst Detection Traffic Engineering

Capacity Planning

Troubleshooting & Remediation (Self Driving)

Security and Policy Enforcement

ADM

Service Level Monitoring

Workload Placement

PSOACI-4591 9


Cisco Tetration Platform

Application Insight

Process Inventory

Visibility andForensics


Foundation

Segmentation

Operations

White-list Policy

PolicyCompliance

Application Segmentation

Neighborhood Graphs

Network and TCP

Performance


Architecture Overview

Data Collection

Software Sensor and

Enforcement

Embedded

Network Sensors(Telemetry Only)

Third Party Sources(Configuration Data)

Analytics Engine

Cisco

Tetration

Analytics

Cluster

Open Access

Web GUI

REST API

Event Notification

Tetration Apps

Self Managed Cluster

One Touch Deployment

Easy Integration via Open interfaces

Open Data Lake (via Tetration Apps)

No Hadoop / Data Science Background Needed

No External Storage Needed


Data Sources

Low CPU Overhead (SLA enforced)

Low Network Overhead (SLA enforced)

Enforcement Point (Software agents)

Highly Secure (Code Signed, Authenticated)

Every Flow (No sampling), NO PAYLOAD

*Note: No per-packet Telemetry, Not an enforcement point

Software Sensors

Universal*(Basic Sensor for other OS)

Linux VM

Windows Server VM

Bare Metal(Linux and Windows Server)

Available Now

Third Party Sources

Asset Tagging

Load Balancers

IP Address Management

CMDB

…

3rd party Data Sources

Nexus 9200-X

Nexus 9300-EX

Network SensorsNext Generation 9K switches

Nexus 9300-FX


Cisco Tetration: Bring your own data

Main features

• Stream any JSON-based telemetry to a data sink• Support up to 10 simultaneous streaming topics

• Bring up to 5 GB of data per hour per streaming topic• Analyze and write your results through alerts or UI

Northbound consumers

Datasink

Public Cloud

Streaming JSON telemetry


And if that is not enough – ERSPAN can fill in the gaps

• Dedicated virtual machines on each host with 3 software sensors in each virtual machine

• Each sensor binds to a separate vNIC

• ERSPAN terminates on the virtual machine vNIC

• Each sensor terminates one ERSPAN session

• Sensor generates telemetry based on the data-plane traffic

• Horizontally scalable

Layer 3 connection

ERSPAN

Layer 3 switch

Expanded telemetry collection option

• Augment telemetry from other parts of the network

• Useful when software sensor or hardware sensor is not feasible

Cisco Tetration telemetry


Production network

Production network


Deployment Options (customer managed)

Cisco Tetration Cloud

• Software deployed in public cloud

• Suitable for deployments of less than 1000 workloads

• Public cloud instance ownedby customer

Cisco Tetration™ platform (large form factor)

• Suitable for deployments of more than 5000 workloads

• Built-in redundancy

• Scales to up to 25,000workloads

Includes:

• 36 Cisco UCS® C220 servers

• 3 Cisco Nexus® 9300 platform switches

Cisco Tetration-M (small form factor)


Includes:

• 6 Cisco UCS C220 servers

• 2 Cisco Nexus 9300platform switches

AmazonWeb Services

Hardware Options Public cloud

MicrosoftAzure

Software Only Option

Cisco Tetration Software only option


• Published hardware requirements

• Supported in VMWare ESXi based environment

Coming in Q2CY18


Deployment Options (Cisco managed)

Cisco Tetration™ as a Service

• Software as a Service model: no need to purchase, install and manage hardware or software

• Fully managed and operated by Cisco

• Suitable for commercial customers and SaaS-first/SaaS-only customers

• Flexible pricing model, lower barrier to entry

• Quick turn up

• Scales to up to 25,000 workloads

Cisco Tetration as a Service

Coming in Q2CY18


What is really running in my Data Center?Cisco Tetration Analytics application insight dependency map

Use Cisco

TetrationAnalytics™

to discover, monitor,

troubleshoot and secure

based on what you really

have

Security

Dependencies

Application

Service offering

Service

Service category

(Service owner)


Application dependency and cluster grouping

Bare-metal, VM,and switchtelemetry

Cisco Tetration Analytics™ platform

Unsupervised machine learning

Behavior analysis

On-premises and cloud workloads (AWS)

Bare-metal and

VM telemetry

VM telemetry (AMI …)

BM VM

BMVM

VM BM

BMVM

BM

VM BM

VMVM

Bare metal and VM

BM VM VM BM

Brownfield

BM VM VM BM

Network-only sensors, host-only sensors, or both (preferred)

BM VM VM VM BM

Cisco Nexus® 9000 Series


Application Workspaces

Oracle - DevPrimaryOracle - Prod

Interfaces

Expose

Oracle VIP

Expose DNS VIP

PrimaryDNS

PrimaryHRMS - Prod


Why this approach is different

Policy information generated based on the data-plane information

Flexibility to define policies beyond IP addresses

Organization structure taken into account for policy generation

Align application policy to match corporate business policies


Vis

ibili

ty

21PSOACI-4591

Cisco Tetration PlatformApplication and Network performance and visibility use cases

Op

era

tio

ns

Cisco Tetration™ Platform

Visibility and

forensics

Application

insight

Network and TCP

performance

Process

inventory

Neighborhood

graphs


What Do We Mean by “Application and Network”? Correlation of Enforcement and Telemetry

• Cisco Tetration and ACI are designed to provide complementary visibility, security and operations

• Tetration platform provides network performance monitoring functionalities in Cisco ACI™ mode

• Following Cisco Nexus® 9000 series

hardware is required:

• Cisco Nexus 9300-FX based leaf switches

• Cisco Nexus 9500 series spine switches with

N9K-X9736C-FX line cards

• These functionalities require Cisco ACI

release 3.1 or later

Cisco Tetration

Analytics™


What Do We Mean by “Application and Network”? Correlation with the view from the Server

Process

Inventory

Process

details

Flow Inventory

Flow details

Cisco Tetration

Analytics™


Diagnosing TCP and Full Flow Details

Process

details

Flow detailsTCP

Retransmission


Objective: View of Application as Related to InfrastructureMulti-Domain View

Public Cloud

vPod

HypervisorService VM



Infrastructure

Administration

Application

Owner,

Administrator,

…

Consistent Governance

Cisco Tetration

Analytics™


Segmentation Policy: Express Policies in Human Language

Development can’t talk to production

• Cisco Tetration knows who is production

• Cisco Tetration knows who is development

• Policies are continuously updated as applications change


Allow computers to perform the heavy liftingTetration automatically converts your intent into blacklist and whitelist rules

Intent Rules

Block nonproduction applications from talking to production applications

SOURCE 10.0.0.0/8 DEST 128.0.0.0/8

Allow HR applications to use the employee database

SOURCE 128.0.10.0/24 DEST 128.0.11.0/24

Block all HTTP connections that are not destined for web servers

SOURCE * DEST 128.0.100.0/24 PORT = 80

SOURCE * DEST * PORT = 80


Multiple Teams can share Policy Management

• Application owners need some amount of autonomy to make application-level changes quickly

• Security and network teams need to control the global aspects of application interconnection and shared services

• Cisco Tetration flattens intent in a deterministic order, prioritizing intent of higher-authority users over intent of application owners

Security team rules

Network team rules

Application owner rules


The App Security Edge moves with the Application

Azure Amazon

Cisco Tetration Analytics

1. Generates unique policy per workload

2. Pushes policy to all workloads

3. Workload securely enforces policy

4. Continuously computes policy from identity and classification changes

Google

Enforcement

VirtualBare metal Cisco ACITMPublic cloud Traditional network


Enforcement across the Systems, ACI and Tetration

Cisco TetrationAnalytics

Northbound REST Interface

• Use Tetration ADM to create ACI compatible

Policy*

• Assign Tetration policy elements to ACI

policy elements

• Understand the impact (TCAM) of policy

• Provide optimizations to efficiently fit policy

in fabric

Tetration ACI App

Cisco Tetration Analytics


Using data provided by Tetration, TCAM usage can be optimized

For a large deployment

Applying generalization to Top 5 policy groups

Results in 160K 78%

TCAM saving

• Adjust the policy enforcement mechanism based on TCAM utilization

• Enforce as-is• Enforce outgoing connection as-is

(incoming will be generalized)• Enforce incoming as-is

(outgoing will be generalized)• Generalize enforcement in both directions

• Visualize TCAM impact on associated leaf switches


Cisco Tetration Analytics: Open API

Rest API

• Cisco Tetrationflow search

• Sensor management

Push notification

• Out-of-the-box events

• User-defined events

Cisco Tetration applications

• Access to data lake

• Write yourown application

Northbound application

Programmatic interface

Rest API

Kafka broker



Message publish

Cisco Tetration Analytics™platform

Kafka

Cisco Tetration™applications


Platform built for scale and flexibility

OpenReal time and scalableHolistic workload

protectionEasy to use

• Every packet, every flow

• Application segmentation for 1000s of applications

• Extends visibility to process and software packages

• Long term data retention

• Consistent application segmentation

• Any workload, anywhere

• Process behavior deviations

• Software package vulnerability

• One touch deployment

• Self monitoring

• Self diagnostics

• Standard web UI

• REST API (pull)

• Event notification (push)

• Tetration applications


Cisco Spark

Questions? Use Cisco Spark to communicate with the speaker after the session

1. Find this session in the Cisco Live Mobile App

2. Click “Join the Discussion”

3. Install Spark or go directly to the space

4. Enter messages/questions in the space

How

cs.co/ciscolivebot#PSOACI-4591


• Please complete your Online Session Evaluations after each session

• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt

• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations

Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.

Complete Your Online Session Evaluation

http://ciscolive.com/Online

http://www.ciscolive.com/global/on-demand-library/


Continue Your Education

• Demos in the Cisco campus

• Walk-in Self-Paced Labs

• Lunch & Learn

• Meet the Engineer 1:1 meetings

• Related sessions

39PSOACI-4591


Want more information?

• Tetration Analytics - Network Analytics & Machine Learning Enhancing Data Center Security and Operations [BRKACI-2040]

• Yesterday 2h15 PM (sorry – it will be available online)

• Inside Cisco IT: ACI & Tetration Analytics [BRKCOC-2006]

• Friday 11h30AM

• Tetration overview [PSOACI-4591]

• Today 1PM (sorry – it will be available online)

• Customer Data Center Insights using Tetration [BRKACI-2509]

• Friday 11h30AM

• Exploring Tetration APIs [DEVNET-1722]

• Thursday 5pm

• Technical seminar for Tetration analytics [TECDCT-1757]

• Yesterday (sorry – it will be available online)

40PSOACI-4591

Thank you

tetration overview - clnv.s3.amazonaws.com · architecture overview data collection software sensor...

Documents