Professional Documents
Culture Documents
Tetration Update: and Others Topics
Tetration Update: and Others Topics
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 2
• Mainly hardware and
infrastructure refresh
• 8 and 39RU are now
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 3
Some more capacity
8RU G1 (M4) G2 (M5)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 4
Important note
M5 Cluster
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 6
What are the other • Virtual appliances
topics? • Operational use cases
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 7
• Collectors
• ERSPAN
• NetFlow
• Tetration Alert
Notification
• AKA TAN
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 8
General
• Tetration code runs in a container
Container
• Depending on type, there could be multiple instances /
containers
• Each container owns its (public) IP through a specific Docker
NIC-1 IP A
driver
Underlying Virtual Appliance has no IP / no network!
• Tetration code receives data, analyses it and streams to
Tetration cluster (like a regular software sensor)
(Container) • All are supported with all form factors (Physical / Tetration-
V / SaaS)
• Licensing:
(NIC-2) IP B
• ERSPAN / NetFlow: 50 base per container (3x50=150 per VM)
• AnyConnect: specific license, per endpoint
• SLBs: 1 base per backend server (unless it already runs a
software sensor)
(...) • TAN: No license (1 per root scope / Tenant)
Virtual Appliance
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 9
Deployment
• Same principle for all (some
requires specific configuration)
Virtual
Appliance • Download specific OVA from CCO
• Download sensor from the cluster
• Build an ISO with sensor + hostname
+ ip(s) config files
• Deploy OVA, mount ISO and boot
ISO the VM (don’t boot it without ISO)
• Documentation (including scale)
https://<cluster>/documentation/u
i/appliances.html
Agent Config files
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 10
• Deploy ERSPAN sensor
Demo and configure vSphere
DVS as ERSPAN source
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 11
Full visibility sensor vs ERSPAN features
With full visibility sensor
Features With ERSPAN sensor
(Windows / Linux)
ADM Yes, using flow data and/or processes similarity Yes, using flow data similarity
ADM result content Clusters of servers, flows between clusters (accurate Clusters of servers, flows between clusters (accurate
direction), processes on the servers, unused services direction)
Flow visibility All flows going in/out of the VM / Server All flows going in/out of the ERSPAN source port(s)
Flow metrics Src, Dst, Ports, Flags, Duration, Fwd / Rev Bytes & Packets, Src, Dst, Ports, Flags, Duration, Fwd / Rev Bytes & Packets
Src / Dst processes, Latency: Network / SRTT / App, TCP:
retransmits / bottleneck (network vs app) / handshake
duration / windowing
Telemetry
Tetration
Cluster
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 14
Edge and end points visibility
• Collect telemetry data from end points through
Cisco Anyconnect
• Anyconnect telemetry data sent to a
Tetration Anyconnect sensor for generating
Tetration telemetry
• Faster identification of users connecting to
applications and end point related information
including
• Domain and username
• Process and process hash
• Parent process/hash
• FQDN associated with the Endpoint and also the Cisco Tetration
flow
• Workload protection policy enhanced to include
User/group/organization and context (LDAPv3)
• Example: Allow access to “FinApp” only to users in
group “finance”
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 15
AnyConnect Data
Endpoint Record Interface Record Flow Record Annotations
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 16
AnyConnect Architecture
Tetration
AnyConnect Tetration
AnyConnect
endpoints Cluster
Proxy VM
Container
Telemetry
Telemetry
Push
NVM
profile (Annotations)
Virtual Appliance
(Get LDAP
fields)
(Active Directory
/ LDAP)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 17
AnyConnect
Admin
Tetration Alerts and • Routing alerts to
Notification various systems
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 18
Alerts and notification architecture
• The Tetration Alerts and Notification (TAN) appliance sits outside the Tetration Cluster
• The appliance uses a secure channel to talk to Tetration services to read alerts as well as to report any
statistics back to Tetration
• The appliance works on its assigned root scope and has access to alerts from that root scope only.
• Any new configuration pushed via Tetration UI is propagated to the TAN appliance, and updates are
immediately applied
Cisco Tetration™
TAN virtual appliance
(TAN)
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 19
TAN virtual appliance registration
• The TAN virtual appliance can be installed by downloading the TAN OVA from CCO
• Once deployed, the appliance is ready for registration with the Tetration Cluster
• The appliance uses the certificates downloaded from the cluster to establish
a secure connection
• The appliance then sends a registration message to the cluster, registering the appliance on
a particular root scope
• The cluster registers the appliance IP and puts it in active state
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 20
TAM VM specs
• Model TA-BNODE-G1
• 8GB RAM
• Intel(R) Xeon(R) CPU E5-2650 v3 @ 2.30GHz
• 1 10 Gbps vNICs, VMXNET driver
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 21
TAN UI
• Right hand side has Notifiers
• Left hand side has Alert
Sources
• Once TAN appliance is
ACTIVE, the Notifiers can be
configured
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 22
TAN UI: Download tar.gz
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 23
TAN UI
• UI after TAN registration
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 24
Tetration Alerts Notifier
• TAN appliance is per Tenant
• Flow matrix is different:
• To receive alerts from Cluster:
• TAN adhocKafkaXL-* public IPs
TCP443
• To publish alerts externally:
• TAN mail / syslog / ... IPs and ports
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 25
• Operational use cases
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 26
Tetration: IT Operations Use Cases
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 28
Application Insights
• Marry network diagrams with
application logical topology
maps to provide a full picture
• The ability to break down
complex problems into smaller
compartments to step through
a more manageable
troubleshooting methodology
process
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 29
TCP Performance Insights
Software Sensors TCP Metrics:
• Tracking process response times
• TCP handshake intervals
• TCP retransmissions
• TCP window size changes
• Identifying bottlenecks
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 30
What do we mean by Application Latency?
Performance monitoring using software sensors
• Measures time difference between Client Server flowlet (“request”) and
Server Client (“response”)
Application Latency • May indicate application latency NOT related to the network
• Two Time stamps on same host (provider side of connection)
• A calculation that removes kernel stack time from SRTT (different than
network latency)
Est. Network Latency • Calculation based on using timestamps used by the host sensors
• Requires NTP and sensors on both consumer and provider
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 31
What do we mean by Application Bottleneck?
Performance monitoring using software sensors
the TCP socket buffer, and there are NO network Sender Receiver
retransmissions
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 32
Neighborhood Graphs
• Determine the number of hops
between two entities in an
application
• Quickly identify protocols
connecting those entities
• Drill down to get the
communication details
between two entities
• Launch flow search view with
relevant filters
© 2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential
• Generate alerts 33
Demo
© 2017
2019 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 34