Tetration Update: and Others Topics

Tetration update
And others topics

Roxana Diaz and Damien Gouju
Technical Solutions Architects – Cisco EMEAR
27/03/19
Tetration 3.2 is out!
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Mainly hardware and
infrastructure refresh
• 8 and 39RU are now
M5 and –FX based

What’s new?
• Under the hood
updates
• No new features (3.2 =
3.1)
© 2017
Some more capacity
8RU G1 (M4) G2 (M5)
CPU 22 Cores / node 24 Cores / node
Data Lake 61.5 TiB 82 TiB
Druid Capacity 12.0 TB 17.1 TB
39RU G1 (M4) G2 (M5)
CPU 10 Cores / node 14 Cores / node
Data Lake 203 TiB 304 TiB
Druid Capacity 19.4 TB 29.9 TB
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Important note
3.1 3.2 3.3

M4 Cluster
& Tetration-V
M5 Cluster
Can’t upgrade 3.1 to 3.2

3.3 will be unified
New SKUs
Model M4 / Gen1 M5 / Gen2

TA-CL-G1-SFF8-K9 TA-CL-8U-M5-K9
8RU
$913,762.32 $822,386.00
TA-CL-G1-39-K9 TA-CL-39U-M5-K9
39RU
$2,215,364.38 $2,022,724.00
Gen2 are available in C1-TETRATION and C1-TETRATION-M bundles

Don’t quote anymore Gen1!
What are the other • Virtual appliances
topics? • Operational use cases
© 2017
• Collectors
• ERSPAN
• NetFlow
Virtual appliances: • AWS VPC Flow logs
Your best friends to • AnyConnect proxy
complete visibility • SLBs (F5, Citrix)
• Tetration Alert
Notification
• AKA TAN
© 2017
General
• Tetration code runs in a container
Container
• Depending on type, there could be multiple instances /
containers
• Each container owns its (public) IP through a specific Docker
NIC-1 IP A
driver
 Underlying Virtual Appliance has no IP / no network!
• Tetration code receives data, analyses it and streams to
Tetration cluster (like a regular software sensor)
(Container) • All are supported with all form factors (Physical / Tetration-
V / SaaS)
• Licensing:
(NIC-2) IP B
• ERSPAN / NetFlow: 50 base per container (3x50=150 per VM)
• AnyConnect: specific license, per endpoint
• SLBs: 1 base per backend server (unless it already runs a
software sensor)
(...) • TAN: No license (1 per root scope / Tenant)
Virtual Appliance
Deployment
• Same principle for all (some
requires specific configuration)
Virtual
Appliance • Download specific OVA from CCO
• Download sensor from the cluster
• Build an ISO with sensor + hostname
+ ip(s) config files
• Deploy OVA, mount ISO and boot
ISO the VM (don’t boot it without ISO)
• Documentation (including scale)
https://<cluster>/documentation/u
i/appliances.html
Agent Config files
• Deploy ERSPAN sensor
Demo and configure vSphere
DVS as ERSPAN source
© 2017
Full visibility sensor vs ERSPAN features
With full visibility sensor
Features With ERSPAN sensor
(Windows / Linux)
ADM Yes, using flow data and/or processes similarity Yes, using flow data similarity
ADM result content Clusters of servers, flows between clusters (accurate Clusters of servers, flows between clusters (accurate
direction), processes on the servers, unused services direction)
Flow visibility All flows going in/out of the VM / Server All flows going in/out of the ERSPAN source port(s)
Flow metrics Src, Dst, Ports, Flags, Duration, Fwd / Rev Bytes & Packets, Src, Dst, Ports, Flags, Duration, Fwd / Rev Bytes & Packets
Src / Dst processes, Latency: Network / SRTT / App, TCP:
retransmits / bottleneck (network vs app) / handshake
duration / windowing
Annotations Yes Yes
Policy Analysis & Alerting Yes Yes
Policy Simulation Yes Yes
Policy Enforcement in the host Yes N/A

Processes behavior analysis / Yes N/A
Forensics / CVEs
Workload mobility Yes Yes if done a virtual layer (DVS VMware, …)

No if done on a physical switch / cloud migration
Centralized management (update, …) Yes

© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
Yes 12
ERSPAN Sensor
Telemetry
Tetration
Cluster
Tip: You can truncate MTU at the source (160 bytes)

• AnyConnect proxy
• Flows
Demo
• User insights including
Active Directory
© 2017
Edge and end points visibility
• Collect telemetry data from end points through
Cisco Anyconnect
• Anyconnect telemetry data sent to a
Tetration Anyconnect sensor for generating
Tetration telemetry
• Faster identification of users connecting to
applications and end point related information
including
• Domain and username
• Process and process hash
• Parent process/hash
• FQDN associated with the Endpoint and also the Cisco Tetration
flow
• Workload protection policy enhanced to include
User/group/organization and context (LDAPv3)
• Example: Allow access to “FinApp” only to users in
group “finance”
AnyConnect Data
Endpoint Record Interface Record Flow Record Annotations
• Host information: • Interface • Flow information • Annotates IP

hostname, UDID, information: UDID, with context: UDID, addresses of
OS name, version, interface UID, interface UID, 5 endpoints with
etc. interface index, tuples, in/out byte LDAP attributes of
• AnyConnect Proxy name, mac counts, user-id, the user logged in
registers this address, etc. process to that endpoint
endpoint as information (name, • 4 configurable
AnyConnect agent hash, parent LDAP fields
on behalf of the process name,
endpoint parent process
hash, libraries,
etc.), DNS suffix,
destination FQDN
AnyConnect Architecture
Tetration
AnyConnect Tetration
AnyConnect
endpoints Cluster
Proxy VM
Container
Telemetry
Telemetry
Push
NVM
profile (Annotations)
Virtual Appliance
(Get LDAP
fields)
(Active Directory
/ LDAP)
AnyConnect
Admin
Tetration Alerts and • Routing alerts to
Notification various systems
© 2017
Alerts and notification architecture
• The Tetration Alerts and Notification (TAN) appliance sits outside the Tetration Cluster
• The appliance uses a secure channel to talk to Tetration services to read alerts as well as to report any
statistics back to Tetration
• The appliance works on its assigned root scope and has access to alerts from that root scope only.
• Any new configuration pushed via Tetration UI is propagated to the TAN appliance, and updates are
immediately applied
Secure TCP Notification

channel for alerts and alerts
Cisco Tetration™
TAN virtual appliance
(TAN)
TAN virtual appliance registration
• The TAN virtual appliance can be installed by downloading the TAN OVA from CCO
• Once deployed, the appliance is ready for registration with the Tetration Cluster
• The appliance uses the certificates downloaded from the cluster to establish
a secure connection
• The appliance then sends a registration message to the cluster, registering the appliance on
a particular root scope
• The cluster registers the appliance IP and puts it in active state
TAM VM specs
• Hypervisor: • TAN Virtual Appliance:
• VMware ESXi, 6.5.0 • 8 vCPU cores @ 2.30GHz
• Model TA-BNODE-G1
• 8GB RAM
• Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz
• 1 10 Gbps vNICs, VMXNET driver
TAN UI
• Right hand side has Notifiers
• Left hand side has Alert
Sources
• Once TAN appliance is
ACTIVE, the Notifiers can be
configured
TAN UI: Download tar.gz
• Click to download the tar.gz.

• Once the tar.gz is downloaded, copy it into a folder
with other config files
• Create iso file from these set of files.
TAN UI
• UI after TAN registration
• Configures alert mechanism for

multiple event types
• Each event type can send

notifications through one or more
methods
• Configures trigger rules and

associated severity for each event
type
Tetration Alerts Notifier
• TAN appliance is per Tenant
• Flow matrix is different:
• To receive alerts from Cluster:
• TAN  adhocKafkaXL-* public IPs
TCP443
• To publish alerts externally:
• TAN  mail / syslog / ... IPs and ports
• Platform alerts are only available in

Default tenant
 Recommended to deploy at least one in
Default tenant for Platform monitoring
• Operational use cases
© 2017
Tetration: IT Operations Use Cases
Workload Discovery Workload Protection Network Insights
Discover workload Secure workloads with Gain performance

dependencies while portable policies across insights per application in
making applications any cloud, any floor tile, real time with historical
”hybrid cloud ready” any OS references
“ADM” “CWP” “NPMD”

Visibility & Forensics: What do software sensors collect?
Packet header metadata Process details Installed software
Application Insights
• Marry network diagrams with
application logical topology
maps to provide a full picture
• The ability to break down
complex problems into smaller
compartments to step through
a more manageable
troubleshooting methodology
process
TCP Performance Insights
Software Sensors TCP Metrics:
• Tracking process response times
• TCP handshake intervals
• TCP retransmissions
• TCP window size changes
• Identifying bottlenecks
What do we mean by Application Latency?
Performance monitoring using software sensors
• Measures time difference between Client  Server flowlet (“request”) and
Server  Client (“response”)
Application Latency • May indicate application latency NOT related to the network
• Two Time stamps on same host (provider side of connection)
• Indicates overall TCP performance from the perspective of server

• Estimates future round trip time. Calculated on the host.
SRTT • Calculation for retransmission timeout. When to resend on non-ack
• Polled from either the provider side of connection
• A calculation that removes kernel stack time from SRTT (different than
network latency)
Est. Network Latency • Calculation based on using timestamps used by the host sensors
• Requires NTP and sensors on both consumer and provider
What do we mean by Application Bottleneck?
Performance monitoring using software sensors
Tracking process TCP window size

response times TCP retransmissions TCP handshake intervals
changes
TCP Zero Window is something to investigate

• A client or server is not able to receive further
information at the moment, and the TCP
transmission is halted until the information in its
receive buffer can be processed. A TCP Window
Size = 0 is sent.
Tetration Performance Debugging My buffers are full

Stop sending data
• App Limited - either consumer OR provider
application is not draining data fast enough from win:0 win:0
the TCP socket buffer, and there are NO network Sender Receiver
retransmissions
Neighborhood Graphs
• Determine the number of hops
between two entities in an
application
• Quickly identify protocols
connecting those entities
• Drill down to get the
communication details
between two entities
• Launch flow search view with
relevant filters
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Generate alerts 33
Demo
© 2017

Tetration Update: and Others Topics

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Tetration Update: and Others Topics

Uploaded by

Copyright:

Available Formats

Tetration update

And others topics

M5 and –FX based

CPU 22 Cores / node 24 Cores / node

Data Lake 61.5 TiB 82 TiB

Druid Capacity 12.0 TB 17.1 TB

39RU G1 (M4) G2 (M5)

CPU 10 Cores / node 14 Cores / node

Data Lake 203 TiB 304 TiB

Druid Capacity 19.4 TB 29.9 TB

3.1 3.2 3.3

Can’t upgrade 3.1 to 3.2

Model M4 / Gen1 M5 / Gen2

Gen2 are available in C1-TETRATION and C1-TETRATION-M bundles

Virtual appliances: • AWS VPC Flow logs

Your best friends to • AnyConnect proxy

complete visibility • SLBs (F5, Citrix)

Annotations Yes Yes

Policy Analysis & Alerting Yes Yes

Policy Simulation Yes Yes

Policy Enforcement in the host Yes N/A

Workload mobility Yes Yes if done a virtual layer (DVS VMware, …)

Centralized management (update, …) Yes

Tip: You can truncate MTU at the source (160 bytes)

• Host information: • Interface • Flow information • Annotates IP

Secure TCP Notification

• Hypervisor: • TAN Virtual Appliance:

• VMware ESXi, 6.5.0 • 8 vCPU cores @ 2.30GHz

• Click to download the tar.gz.

• Configures alert mechanism for

• Each event type can send

• Configures trigger rules and

• Platform alerts are only available in

Workload Discovery Workload Protection Network Insights

Discover workload Secure workloads with Gain performance

“ADM” “CWP” “NPMD”

Packet header metadata Process details Installed software

• Indicates overall TCP performance from the perspective of server

Tracking process TCP window size

TCP Zero Window is something to investigate

Tetration Performance Debugging My buffers are full

You might also like