This document provides an overview of Cisco Tetration, which is a platform that provides application dependency mapping, segmentation, and security across data centers, public clouds, and hybrid environments. It analyzes network traffic using software sensors to map application dependencies and clusters. It then generates whitelist policies and enforces segmentation policies across workloads to limit communication based on application ownership and intent-based rules. The platform also provides capabilities for compliance monitoring, inventory tracking, performance monitoring, and ecosystem integration. It has various deployment options including on-premises, public cloud, and as a managed service.
2. What does Tetration mean?
• Tetration (or Hyper -4) is the next hyperoperation after exponentiation, and is defined as iterated
exponentiation. The word was coined by Reuben Louis Goodstein, from tetra – (four) and iteration.
Tetration is used for the notation of very large numbers.
3. Rapid App
Deployment
Continuous Development
Application Mobility
Micro Services
Policy
Enforcement
Heterogeneous Network
Secure Zero-Trust
Policy Compliance
Security Challenges in Modern Data Centers
Securing Applications Has Become Complex
Applications Are Driving Modern Datacenter Infrastructure
4. Cisco Tetration Platform
Use Cases
Application
Insight
Process
Inventory
Visibility and
Forensics
Cisco Tetration™
Platform
Foundation
Segmentation
Operations
White-list Policy Policy
Compliance
Application
Segmentation
Process
Security
Software
Inventory
Baseline
Advanced Security
Neighborhood
Graphs
Network
and TCP
Performance
5. Cisco Tetration Platform
Architecture Overview
Web GUI REST API
Event
notification
Cisco
Tetration apps
Third-Party
Sources
(Configuration Data)
Software Sensor and Enforcement
Data Collection Layer
Container Host Sensors*
Embedded Network Sensors
(Telemetry Only)
ERSPAN Sensors
(Telemetry Only)
Netflow Sensors*
(Telemetry Only)
Analytics Engine
*Support coming in Q2CY18
6. Cisco Tetration analytics data sources
Main features
ü Low CPU overhead (SLA enforced)
ü Low network overhead
ü New Enforcement point (software agents)
ü Highly secure (code signed and authenticated)
ü Every flow (no sampling) and no payload
*Note: Available for POC/Trail purposes only
Software sensors
Linux servers
(virtual machine and bare metal)
Windows servers
(virtual machines and bare metal)
Windows Desktop VM
(virtual desktop infrastructure only)
Cisco Nexus 9300 EX
Cisco Nexus 9300 FX
Network sensors
Next-generation Cisco Nexus® Series Switches
Other Sensors
Other types of sensorsAvailable today
Container Host*
(Host OS – Linux Based)
ERSPAN Sensor
Netflow Sensor*
*Support coming in Q2CY18
8. Application Dependency and Cluster Grouping
Bare-metal, VM,
and switch
telemetry
Cisco Tetration
Analytics™ platform
Unsupervised machine
learning
Behavior analysis
On-premises and cloud workloads (AWS)
Bare-metal and
VM telemetry
VM telemetry
(AMI …)
BM VM
BMVM
VM BM
BMVM
BM
VM BM
VMVM
Bare metal and VM
BM VM VM BM
Brownfield
üüü ü
BM VM VM BM
üüü ü
Network-only sensors,
host-only sensors, or both (preferred)
BM VM VM VM BM
Cisco Nexus® 9000 Series ü
12. User-Uploaded asset tags
• Discovered inventory
• Uploaded inventory and metadata (32 arbitrary tags)
• Inventory tracked in real time, along with historical trends
User-uploaded tags
Cisco Tetration Analytics™
sensor feed
Real-time inventory merged with
information with historical trends
Cisco Tetration
Analytics
merge
operation
VMware vCenter
(virtual machine attributes)
AWS attributes
(AWS tags)
13. Segmentation Policy: Express Policies in Human
Language
Development can’t talk to production
• Cisco Tetration™ knows who is production
• Cisco Tetration knows who is development
• Policies are continuously updated as applications change
16. How Does it Work?
Cisco Tetration™ automatically converts your intent into blacklist and
whitelist rules
Intent Rules
Block nonproduction applications from
talking to production applications
SOURCE 10.0.0.0/8
DEST 128.0.0.0/8
Allow HR applications to use the
employee database
SOURCE 128.0.10.0/24
DEST 128.0.11.0/24
Block all HTTP connections that are not
destined for web servers
SOURCE * DEST
128.0.100.0/24 PORT = 80
SOURCE * DEST * PORT = 80
17. Rule-Processing Order
• Application owners need some amount of autonomy to
make application-level
changes quickly
• Security and network teams
need to control the global aspects
of application interconnection
and shared services
• Cisco Tetration™ flattens intent in a
deterministic order, prioritizing
intent of higher-authority users over intent of
application owners
Security team rules
Network team rules
Application owner rules
18. Enforcement of policy across any floor tile
Azure Amazon
Cisco Tetration Analytics™
1. Generates unique policy
per workload
2. Pushes policy to all
workloads
3. Workload securely enforces
policy
4. Continuously recomputes
policy from identity and
classification changes
Google
Enforcement
Compliance monitoring
VirtualBare metal Cisco ACITMPublic cloud Traditional network
22. Performance monitoring
With deep-visibility software sensors only
Cisco
Tetration™
With deep-visibility software sensors
installed on servers Application limited
• Process or server cannot drain traffic fast enough
• Identify whether limitation is on provider or consumer slide
Network limited
• Network congestion is causing TCP congestion
and window collapse
Enhanced TCP metrics
• SRTT latency
• Application-perceived latency
• TCP retransmissions
• TCP congestion window reduced
• TCP MSS changed
• TCP zero window
• Long TCP handshakes
23. Performance monitoring
With Cisco ACI and Cisco Nexus 9300 FX switches only
Cisco
Tetration™
Cisco ACI™ infrastructure using Cisco
Nexus® 9300 FX leaf switches and Cisco
Nexus 9300 FX line cards in spine
Track topology and topology changes using time series
• Covers fabric and external devices such as servers (LLDP required)
• Flow-context-specific topology views
View traffic flow information in time series
• Mapping of individual flows to fabric topology and queues
• Per-flow hop-by-hop path view
• Per-hop latency and fabric latency
• Fabric drop indicators
View link and queue information in a fabric in time series
• Flows through a particular link
• Throughput information
• Average and maximum latency
• Drop indicators
Additional flow search capabilities
• Search for specific flows within a link and queue
• Search based on fabric links
• Search based on class of service
*PTP required in production fabric
25. • Dedicated virtual machines on each host with 3 software sensors in each virtual machine
• Each sensor binds to a separate vNIC
• ERSPAN terminates on the virtual machine vNIC
• Each sensor terminates one ERSPAN session
• Sensor generates telemetry based on the data-plane traffic
• Horizontally scalable
Layer 3 connection
ERSPAN
Layer 3 switch
Cisco Tetration telemetry: ERSPAN option
Expanded telemetry
collection option
• Augment telemetry from other
parts of the network
• Useful when software sensor
or hardware sensor is not
feasible
Cisco Tetration™
telemetry
Cisco Tetration™
Platform
Production
network
Production
network
26. Insight-based notification: Neighborhood graphs
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
Neighborhood graphs
• Find up to two-hop
communication neighbors for
a selected workload
• Drill down into details about
communication between
these neighbors
• View dashboard display
using graph database
• Determine the number
of server hops between
two workloads
• Get out-of-the-box
and customer alerts
through Kafka
27. Virtual Desktop Infrastructure: Visualization
Main features
ü Support Microsoft Windows Desktop 7, 8, and 10
ü Get per-packet, per-flow visibility
ü Correlate traffic with process on the desktop instances
ü Tie VDI user traffic to application workspace
VDI instances
Cisco Tetration
Analytics™
30. Cisco Tetration Cloud
• Software deployed in public
cloud
• Suitable for deployments of
less than 1000 workloads
• Public cloud instance owned
by customer
Cisco Tetration™ platform
(large form factor)
• Suitable for deployments of
more than 5000 workloads
• Built-in redundancy
• Scales to up to 25,000
workloads
Includes:
• 36 Cisco UCS® C220
servers
• 3 Cisco Nexus® 9300
platform switches
Cisco Tetration-M (small
form factor)
• Suitable for deployments
of less than 5000
workloads
Includes:
• 6 Cisco UCS C220
servers
• 2 Cisco Nexus 9300
platform switches
Cisco Tetration: On-Premises Deployment options
Amazon
Web Services
Hardware Options Public cloud
Microsoft
Azure
Software Only Option
Cisco Tetration Software
only option
• Suitable for deployments of
less than 1000 workloads
• Published hardware
requirements
• Supported in Vmware ESXi
based environment
Coming in
Q2CY18
31. Cisco Tetration™ as a Service
• Software as a Service model: no need to
purchase, install and manage hardware or
software
• Fully managed and operated by Cisco
• Suitable for commercial customers and
SaaS-first/SaaS-only customers
• Flexible pricing model, lower barrier to
entry
• Quick turn up
• Scales to up to 25,000 workloads
Cisco Tetration : As-a-Service Option
Cisco Tetration as a Service
Coming in
Q2CY18
34. Open
In summary: Platform built for scale and flexibility
Real time and scalable
Holistic workload
protection
Easy to use
• Every packet, every flow
• Application segmentation
for 1000s of applications
• Extends visibility to
process and software
packages
• Long term
data retention
• Consistent application
segmentation
• Any workload, anywhere
• Process behavior
deviations
• Software package
vulnerability
• One touch deployment
• Self monitoring
• Self diagnostics
• Standard web UI
• REST API (pull)
• Event notification (push)
• Tetration applications