© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKACI-2509
• Introduction
• Accessing Tetration Data
• Data at our Fingertips
• Use Cases - Application Upgrades and Migrations
• Use Cases – Security
• Use Cases – Exploratory Analysis
• Conclusion
Agenda
• Flow Analysis
• Tetration Overview
• Sensors
• Data Flow
• Data Access
• Data Security
Introduction
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 6
Mobile Devices in 2014
BRKACI-2509
Introduction
IoT Devices in 2018 Iot Devices in 2020
Source: https://www.gsmaintelligence.com/ Source: https://www.gartner.com/newsroom/id/3598917
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 7BRKACI-2509
Cisco TetrationArchitecture overview
Software sensor and
enforcement
Embedded network
sensors(telemetry only)
ERSPAN sensors(telemetry only)
Analytics engine
Web GUI REST API Event notification Cisco Tetration apps
Third-party
sources(configuration data)
Data collection layer
Access mechanism
Bring your own
data(streaming telemetry)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Tetration Data Sources
Main features
Low CPU overhead (SLA enforced)
Low network overhead
New: Enforcement point (software agents)
Highly secure (code signed and authenticated)
Every flow (no sampling) and no payload
*Note: No per-packet telemetry; not an enforcement point
Software sensors
Universal*(basic sensor for other OS)
Linux servers(virtual machine and bare metal)
Windows servers(virtual machines and bare metal)
Windows Desktop VM(virtual desktop infrastructure only)
Cisco Nexus 9300 EX
Cisco Nexus 9300 FX
Network sensors
Next-generation Cisco Nexus® Series Switches
Third-party sources
Asset tagging
Load balancers
IP address
management
CMDB
…
Third-party data sourcesAvailable today
BRKACI-2509 8
ERSPAN
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Tetration Telemetry: ERSPAN Option
• Dedicated virtual machines on each host with 4 software sensors in each virtual machine
• Each sensor binds to a separate vNIC
• ERSPAN terminates on the virtual machine vNIC
• Each sensor terminates one ERSPAN session
• Sensor generates telemetry based on the data-plane traffic
• Horizontally scalable
Layer 3 connection
ERSPAN
Layer 3 switch
Expanded telemetry
collection option
• Augment telemetry from
other parts of the network
• Useful when software
sensor or hardware sensor
is not feasible
Cisco Tetration
telemetry
Cisco Tetration™
platform
Production
network
Production
network
BRKACI-2509 9
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Introduction
• Concepts
• Pipeline – Fed by collectors moves/copies data to the appropriate places
• Serving Layer – An Optimized store of flow data for rapid UI queries
• Data Lake - Storage of all data flows, configuration and statistics
10BRKACI-2509
Collectors Pipeline
Serving
Layer
Data Lake
User Interface
OpenAPI
Data Platform
Sensors
Cisco Tetration™
platform
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Rest API
• Cisco Tetration
flow search
• Sensor management
Push notification
• Out-of-the-box events
• User-defined events
Cisco Tetration
applications
• Access to data lake
• Write your
own application
Cisco Tetration Analytics: Open API
Northbound
application
Programmatic interface
Rest API
Kafka
broker
Northbound
consumers
Northbound
consumers
Message publish
Cisco
Tetration
Analytics™
platform
Kafka
Cisco Tetration™
applications
BRKACI-2509 11
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 12BRKACI-2509
Role Based Access Control via Scopes
Roles Users
Users
Assigned to roles
Scopes
Used to group together
assets and/or endpoints
Roles
Define access to
scopes; set of
capabilities
Scopes
Scopes, Roles and Users
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
OpenAPI
Representational state transfer(REST) or RESTful web services are a way of providing interoperability between computer systems on the Internet. REST-compliant Web services allow requesting systems to access and manipulate textual representations of Web resources using a uniform and predefined set of stateless operations
Via: https://en.wikipedia.org/wiki/Representational_state_transfer
BRKACI-2509 14
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 15BRKACI-2509
Accessing Tetration Data
• REST interface via https
• Role Based Access Control based self generated keys
• Keys and hash required for each transaction
• Queries current data
• Leverages same underlying components as the User Interface
OpenAPI
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Data Platform
The Tetration Data Platform allows code to be created and run on the Tetration Appliance. Users can interact with large datasets and harness the power of the analytics appliance without having to migrate the data to an additional platform.
16BRKACI-2509
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 17BRKACI-2509
Accessing Tetration Data
• Security
• Role Based Access Control• Data Platform Access
• Data via Scope
• Documentation
• User Guide
• App Options
• Samples
Data Platform User Applications
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Tetration
Analytics
User Data
Data Platform
18BRKACI-2509
Accessing Tetration DataData Platform User Applications
Kafka
OpenAPIData
Lake Dashboard
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 20BRKACI-2509
OpenAPI Endpoints
Scope
Applications
User Defined
Annotations
VRFsSwitches
Collection
RulesInventory
Filters
Software
Agents
Enforcement
Roles Users
Inventory
Flow
Configuration
Flow referenced
Flow record
Legend
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 21BRKACI-2509
Data at our fingertips
• Requires
• API Key
• Scope
• Timestamp
• Flow observations are aggregated on a 1 minute interval
• Queries can be for any day
• Individual records contain flow information
Open API - Flows
• Information Availability
• Most recent from pipeline
• Same as Web UI
• Filterable
• Time
• Dimension
• Aggregates such as:
• Raw
• TopN
• count
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 22BRKACI-2509
Flow Fields v 2.2.x
• dst_address
• dst_hostname
• dst_port
• dst_scope_name
• fwd_bytes
• fwd_pkts
• Proto
• rev_bytes
• srtt_usec
• start_timestamp
• Timestamp
• total_network_latency_usec
• total_perceived_latency_usec
• vrf_id
• vrf_name
• 40+ more…
• rev_pkts
• server_app_latency_usec
• server_stack_latency_usec
• src_address
• src_hostname
• src_port
• src_scope_name
• srtt_available
iFor
Reference
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 23BRKACI-2509
Data at our fingertips
• Requires API Key
• Restrictions
• Actions
• List Software Agents
• Get a Software Agent
• Creating Configuration Intents
• Order Intents
• Apply / Alter Intent Configuration
Open API – Software Agent
• Contains Software Agent
• OS version
• Configuration
• Agent Status
• Interfaces
• Netmasks
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 24BRKACI-2509
Data at our fingertips
• Restrictions
• Requires API Key
• Obtains a CSV list of all the application tags for the Tetration system.
• Actions
• Add/Delete/Update specific tags
• Query the annotated facets
• Flush all annotations
Open API - Annotations
IP VRF Department
10.10.127.15 PCI Finance
10.10.192.3 Default HR
10.10.172.215 Default IT
10.10.127.15 PCI Finance
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2509
Data at our fingertips
• Restrictions
• Requires API Key
• Obtains the attributes of all Scopes
• Actions:
• List
• Get
• Create
• Update
• Delete
• Commit
OpenAPI - Scopes Field Example
filter_type AppScope
id 5a06be0b755f023888
1fbe9a
name Tetration
query "type": "eq",
"field": "vrf_id",
"value": 676767
vrf_id 676767
parent_app_scope_id
child_app_scope_ids 5a0e0a47755f025afc8
eda27
25
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 26BRKACI-2509
Data at our fingertips
• Roles
• Users
• Inventory Filters
• Inventory
• Applications
• Create/Update/Delete
• Enforce/Disable
OpenAPI - Other
• Enforcement
• Switches
• Collection Rules
• VRFs
• Orchestrators
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 28BRKACI-2509
Data at our fingertips
• Longer duration
• Up to last complete hour
Data Platform - Flows
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 29BRKACI-2509
Data at our fingertips
• Includes Universal sensors
• Aggregated rows on
• ephemeral port
• start_timestamp
Data Platform - Shallow Flows
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 30BRKACI-2509
Data at our fingertips
• Operating System information
• Transmit aggregates
• Receive aggregates
Data Platform - Machine Info
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco PublicBRKACI-2509
Data at our fingertips
• Each Interface
• Transmit aggregates
• Receive aggregates
• User Annotations
• VRF
• Scope
• Application Policy Groups
Data Platform - Inventory
31
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case: Locate rouge integrations via Data Platform
• A customer was undergoing an application upgrade core to the business. This application was leveraged by multiple departments, and the upgrade included schema changes that would/could effect any integrations or automatic reports that were generated off of the databases.
• The customer generated a list of all the database clients and found two that were department controlled servers leveraging this infrastructure. This was not previously known to the IT team.
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 33BRKACI-2509
Use Case: Data Platform and Kafka Broker
• A customer was looking to monitor the SRTT and assure that all transactions were completed in a defined interval
• The User applications on Data platform they could custom define what was being monitored how often and what the thresholds were.
• With the Data Tap they were notified via Kafka to their event management system
Understand Upgrade Latency Impacts
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case: Security
• How can I keep my User & Role based access control in sync with on-boarding processes?
• What rules are getting used? Is the order efficient?
• Did the last firewall rule change effect latency on any application? Which one?
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Use Case: Reporting via OpenAPI
35BRKACI-2509
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 36BRKACI-2509
Use Case: Visualizations via OpenAPI
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 37BRKACI-2509
Use Case: Visualizations via OpenAPI (continued)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 38BRKACI-2509
Use Case: Visualizations via OpenAPI (continued)
• Where are my configurations different?
• Are there single points of failure
• redundancy is configured is everyone using it
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public 39BRKACI-2509
Use Case: Visualizations via OpenAPI (continued)
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Cisco Spark
Questions? Use Cisco Spark to communicate with the speaker after the session
1. Find this session in the Cisco Live Mobile App
2. Click “Join the Discussion”
3. Install Spark or go directly to the space
4. Enter messages/questions in the space
How
cs.co/ciscolivebot#BRKACI-2509
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
• Please complete your Online Session Evaluations after each session
• Complete 4 Session Evaluations & the Overall Conference Evaluation (available from Thursday) to receive your Cisco Live T-shirt
• All surveys can be completed via the Cisco Live Mobile App or the Communication Stations
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at www.ciscolive.com/global/on-demand-library/.
Complete Your Online Session Evaluation
© 2018 Cisco and/or its affiliates. All rights reserved. Cisco Public
Related Sessions to Continue Your Education
43BRKACI-2509
Session id Description
LTRACI-2184 Tetration Hands-on Lab from Deployment to Operational Support
PSOACI-4591 Tetration overview
BRKACI-2040 Tetration Analytics – Network Analytics & Machine Learning
Enhancing Data Center Security Operations
TECDCT-1757 Technical Seminar for Tetration Analytics
DEVNET-1722 Exploring Tetration APIs
BRKCOC-2006 Inside Cisco IT: ACI & Tetration Analytics
BRKACI-2060 Cisco Tetration: Data Center Analytics Deployment and Use Cases