This document provides an overview of Cisco Tetration, which is a platform that provides application dependency mapping, segmentation, and security across data centers, public clouds, and hybrid environments. It analyzes network traffic using software sensors to map application dependencies and clusters. It then generates whitelist policies and enforces segmentation policies across workloads to limit communication based on application ownership and intent-based rules. The platform also provides capabilities for compliance monitoring, inventory tracking, performance monitoring, and ecosystem integration. It has various deployment options including on-premises, public cloud, and as a managed service.

1. © 2017 Cisco and/or its affiliates. All rights reserved. 1
Nadir Lakhani
Technical Solutions Architect
April, 2018
Cisco
Connect Your Time
Is Now
Application Insight and
Zero-Trust Policies with
Cisco Tetration

2. What does Tetration mean?
• Tetration (or Hyper -4) is the next hyperoperation after exponentiation, and is defined as iterated
exponentiation. The word was coined by Reuben Louis Goodstein, from tetra – (four) and iteration.
Tetration is used for the notation of very large numbers.

3. Rapid App
Deployment
Continuous Development
Application Mobility
Micro Services
Policy
Enforcement
Heterogeneous Network
Secure Zero-Trust
Policy Compliance
Security Challenges in Modern Data Centers
Securing Applications Has Become Complex
Applications Are Driving Modern Datacenter Infrastructure

4. Cisco Tetration Platform
Use Cases
Application
Insight
Process
Inventory
Visibility and
Forensics
Cisco Tetration™
Platform
Foundation
Segmentation
Operations
White-list Policy Policy
Compliance
Application
Segmentation
Process
Security
Software
Inventory
Baseline
Advanced Security
Neighborhood
Graphs
Network
and TCP
Performance

5. Cisco Tetration Platform
Architecture Overview
Web GUI REST API
Event
notification
Cisco
Tetration apps
Third-Party
Sources
(Configuration Data)
Software Sensor and Enforcement
Data Collection Layer
Container Host Sensors*
Embedded Network Sensors
(Telemetry Only)
ERSPAN Sensors
(Telemetry Only)
Netflow Sensors*
(Telemetry Only)
Analytics Engine
*Support coming in Q2CY18

6. Cisco Tetration analytics data sources
Main features
ü Low CPU overhead (SLA enforced)
ü Low network overhead
ü New Enforcement point (software agents)
ü Highly secure (code signed and authenticated)
ü Every flow (no sampling) and no payload
*Note: Available for POC/Trail purposes only
Software sensors
Linux servers
(virtual machine and bare metal)
Windows servers
(virtual machines and bare metal)
Windows Desktop VM
(virtual desktop infrastructure only)
Cisco Nexus 9300 EX
Cisco Nexus 9300 FX
Network sensors
Next-generation Cisco Nexus® Series Switches
Other Sensors
Other types of sensorsAvailable today
Container Host*
(Host OS – Linux Based)
ERSPAN Sensor
Netflow Sensor*
*Support coming in Q2CY18

7. 7© 2017 Cisco and/or its affiliates. All rights reserved.
Application Dependency Mapping

8. Application Dependency and Cluster Grouping
Bare-metal, VM,
and switch
telemetry
Cisco Tetration
Analytics™ platform
Unsupervised machine
learning
Behavior analysis
On-premises and cloud workloads (AWS)
Bare-metal and
VM telemetry
VM telemetry
(AMI …)
BM VM
BMVM
VM BM
BMVM
BM
VM BM
VMVM
Bare metal and VM
BM VM VM BM
Brownfield
üüü ü
BM VM VM BM
üüü ü
Network-only sensors,
host-only sensors, or both (preferred)
BM VM VM VM BM
Cisco Nexus® 9000 Series ü

9. Application clusters
conversation views Policy details
Application Conversation View

10. Whitelist Policy Recommendation
Application discovery
{
"src_name": "App",
"dst_name": "Web",
"whitelist": [
{
"port": [0, 0],
"proto": 1,
"action": "ALLOW"
},
{
"port": [80, 80],
"proto": 6,
"action": "ALLOW"
},
{
"port": [443, 443],
"proto": 6,
"action": "ALLOW"
}
]
}
Whitelist policy recommendation
(available in JSON, XML, and YAML)

11. © 2016 Cisco and/or its affiliates. All rights reserved. 11
Compliance, Policy Validation
All Flows are tracked 4 ways
• Permitted, bidirectional flows
that match the policy
• Misdropped, permitted traffic
where we have dropped a
packet
• Escaped, bidirectional flows
that are against the policy
• Rejected, uni-directional
flows that are against the
policy

12. User-Uploaded asset tags
• Discovered inventory
• Uploaded inventory and metadata (32 arbitrary tags)
• Inventory tracked in real time, along with historical trends
User-uploaded tags
Cisco Tetration Analytics™
sensor feed
Real-time inventory merged with
information with historical trends
Cisco Tetration
Analytics
merge
operation
VMware vCenter
(virtual machine attributes)
AWS attributes
(AWS tags)

13. Segmentation Policy: Express Policies in Human
Language
Development can’t talk to production
• Cisco Tetration™ knows who is production
• Cisco Tetration knows who is development
• Policies are continuously updated as applications change

14. 14© 2017 Cisco and/or its affiliates. All rights reserved.
Application segmentation

15. Cisco Tetration application segmentation
Policy recommendation
Cisco
Tetration™
Application workspaces
Application
segmentation
policy
Public
cloud
Private
cloud
On-premise

16. How Does it Work?
Cisco Tetration™ automatically converts your intent into blacklist and
whitelist rules
Intent Rules
Block nonproduction applications from
talking to production applications
SOURCE 10.0.0.0/8
DEST 128.0.0.0/8
Allow HR applications to use the
employee database
SOURCE 128.0.10.0/24
DEST 128.0.11.0/24
Block all HTTP connections that are not
destined for web servers
SOURCE * DEST
128.0.100.0/24 PORT = 80
SOURCE * DEST * PORT = 80

17. Rule-Processing Order
• Application owners need some amount of autonomy to
make application-level
changes quickly
• Security and network teams
need to control the global aspects
of application interconnection
and shared services
• Cisco Tetration™ flattens intent in a
deterministic order, prioritizing
intent of higher-authority users over intent of
application owners
Security team rules
Network team rules
Application owner rules

18. Enforcement of policy across any floor tile
Azure Amazon
Cisco Tetration Analytics™
1. Generates unique policy
per workload
2. Pushes policy to all
workloads
3. Workload securely enforces
policy
4. Continuously recomputes
policy from identity and
classification changes
Google
Enforcement
Compliance monitoring
VirtualBare metal Cisco ACITMPublic cloud Traditional network

19. © 2016 Cisco and/or its affiliates. All rights reserved. 19
Tetration Policy Enforcement in Cisco ACI
Cisco Tetration
Analytics™
Northbound REST
Interface
• Use Tetration fine grained ADM to create
ACI compatible Policy*
• Assign Tetration policy elements to ACI
policy elements
• Understand the impact (TCAM) of policy
• Provide optimizations to efficiently fit policy
in fabric
Tetration
ACI App
Application White-
list App
*Not all Tetration policy features can be supported by ACI
Cisco Tetration Analytics™

20. © 2016 Cisco and/or its affiliates. All rights reserved. 20
Cisco ACI Fabric Enforcement – TCAM Optimization
For a large deployment
Applying generalization to Top 5
policy groups
Results in
160K
78%
TCAM saving
• Adjust the policy enforcement mechanism based on
TCAM utilization
• Enforce as-is
• Enforce outgoing connection as-is (Incoming will be
generalized)
• Enforce incoming as-is (outgoing will be generalized)
• Generalize enforcement in both directions
• Visualize TCAM impact on associated leaf switches

21. 21© 2017 Cisco and/or its affiliates. All rights reserved.
Network performance

22. Performance monitoring
With deep-visibility software sensors only
Cisco
Tetration™
With deep-visibility software sensors
installed on servers Application limited
• Process or server cannot drain traffic fast enough
• Identify whether limitation is on provider or consumer slide
Network limited
• Network congestion is causing TCP congestion
and window collapse
Enhanced TCP metrics
• SRTT latency
• Application-perceived latency
• TCP retransmissions
• TCP congestion window reduced
• TCP MSS changed
• TCP zero window
• Long TCP handshakes

23. Performance monitoring
With Cisco ACI and Cisco Nexus 9300 FX switches only
Cisco
Tetration™
Cisco ACI™ infrastructure using Cisco
Nexus® 9300 FX leaf switches and Cisco
Nexus 9300 FX line cards in spine
Track topology and topology changes using time series
• Covers fabric and external devices such as servers (LLDP required)
• Flow-context-specific topology views
View traffic flow information in time series
• Mapping of individual flows to fabric topology and queues
• Per-flow hop-by-hop path view
• Per-hop latency and fabric latency
• Fabric drop indicators
View link and queue information in a fabric in time series
• Flows through a particular link
• Throughput information
• Average and maximum latency
• Drop indicators
Additional flow search capabilities
• Search for specific flows within a link and queue
• Search based on fabric links
• Search based on class of service
*PTP required in production fabric

24. 24© 2017 Cisco and/or its affiliates. All rights reserved.
Other use cases

25. • Dedicated virtual machines on each host with 3 software sensors in each virtual machine
• Each sensor binds to a separate vNIC
• ERSPAN terminates on the virtual machine vNIC
• Each sensor terminates one ERSPAN session
• Sensor generates telemetry based on the data-plane traffic
• Horizontally scalable
Layer 3 connection
ERSPAN
Layer 3 switch
Cisco Tetration telemetry: ERSPAN option
Expanded telemetry
collection option
• Augment telemetry from other
parts of the network
• Useful when software sensor
or hardware sensor is not
feasible
Cisco Tetration™
telemetry
Cisco Tetration™
Platform
Production
network
Production
network

26. Insight-based notification: Neighborhood graphs
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
Neighborhood graphs
• Find up to two-hop
communication neighbors for
a selected workload
• Drill down into details about
communication between
these neighbors
• View dashboard display
using graph database
• Determine the number
of server hops between
two workloads
• Get out-of-the-box
and customer alerts
through Kafka

27. Virtual Desktop Infrastructure: Visualization
Main features
ü Support Microsoft Windows Desktop 7, 8, and 10
ü Get per-packet, per-flow visibility
ü Correlate traffic with process on the desktop instances
ü Tie VDI user traffic to application workspace
VDI instances
Cisco Tetration
Analytics™

28. Policy-related notification
Cisco Tetration
Analytics™
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Kafka
• Alerts every minute
for enforcement
• Policy compliance
event notifications
• Count of policy alerts
until whitelisted
• Alerts when IP tables or
firewall is flushed or disabled
by user
• Alerts when enforcement
sensor is disabled
• Publishes policy differences
between versions

29. 29© 2017 Cisco and/or its affiliates. All rights reserved.
Deployment options

30. Cisco Tetration Cloud
• Software deployed in public
cloud
• Suitable for deployments of
less than 1000 workloads
• Public cloud instance owned
by customer
Cisco Tetration™ platform
(large form factor)
• Suitable for deployments of
more than 5000 workloads
• Built-in redundancy
• Scales to up to 25,000
workloads
Includes:
• 36 Cisco UCS® C220
servers
• 3 Cisco Nexus® 9300
platform switches
Cisco Tetration-M (small
form factor)
• Suitable for deployments
of less than 5000
workloads
Includes:
• 6 Cisco UCS C220
servers
• 2 Cisco Nexus 9300
platform switches
Cisco Tetration: On-Premises Deployment options
Amazon
Web Services
Hardware Options Public cloud
Microsoft
Azure
Software Only Option
Cisco Tetration Software
only option
• Suitable for deployments of
less than 1000 workloads
• Published hardware
requirements
• Supported in Vmware ESXi
based environment
Coming in
Q2CY18

31. Cisco Tetration™ as a Service
• Software as a Service model: no need to
purchase, install and manage hardware or
software
• Fully managed and operated by Cisco
• Suitable for commercial customers and
SaaS-first/SaaS-only customers
• Flexible pricing model, lower barrier to
entry
• Quick turn up
• Scales to up to 25,000 workloads
Cisco Tetration : As-a-Service Option
Cisco Tetration as a Service
Coming in
Q2CY18

32. 32© 2017 Cisco and/or its affiliates. All rights reserved.
Ecosystem

33. Cisco Tetration Analytics: Ecosystem
Cisco Tetration
Analytics™
Application Dependency Layer4-7 Services
Enforcement Visibility and Optimization
Insight exchange

34. Open
In summary: Platform built for scale and flexibility
Real time and scalable
Holistic workload
protection
Easy to use
• Every packet, every flow
• Application segmentation
for 1000s of applications
• Extends visibility to
process and software
packages
• Long term
data retention
• Consistent application
segmentation
• Any workload, anywhere
• Process behavior
deviations
• Software package
vulnerability
• One touch deployment
• Self monitoring
• Self diagnostics
• Standard web UI
• REST API (pull)
• Event notification (push)
• Tetration applications

35. Thank you.