F5 BIGIP + Cisco Tetration: Application Centric Visibility
Cisco Tetration Analytics is the latest Cisco innovation to provide visibility into everything in the data center in real-time. It is designed to help customers understand the applications running in the Data Centers, help them build policies around that application for the Data Center, and enforce the policy right down to the network or host level. To learn more about Cisco Tetration Analytics, please go to:
http://www.cisco.com/go/tetration
The F5 team has been working closely with the Cisco Tetration team to bring the rich L4-L7 data from BIG-IP into Tetration. We primarily focus on two enhancement areas:
- Application Telemetry
- Policy Enforcement
Application Telemetry
Cisco Tetration uses sensors on switches, hosts to collect flow Data at high speed in the Data Center, the sensors annotates data with host specific information called context information which is send to Tetration Cluster for Analytics. Since most of the deployments will have BIG-IP in the Data Center acting as proxy due to which the flow is split into multiple flows and the context information is lost. BIG-IP integration with Cisco Tetration provides the complete end to end flow visibility for applications running in Data Center.
With F5 BIG-IP and Cisco Tetration integration, BIG-IP customers can enhance Tetration Analytics visibility by adding iRules to the virtual server:
How do I use Tetration with BIG-IP ?
You need to configure BIG-IP with Publisher log, IPFIX Pool and use TCP or UDP iRules to intercept the application traffic at various events. The IPFIX template on BIG-IP is created using iRules and it is send to the F5 Tetration Sensor which in turn forwards the flow details to the Tetration Cluster. Tetration Cluster can visualize the flow information in the Related flow tab on the Cluster, this helps the Operations folks to troubleshoot in case there is a problem or can visualize the complete flow information even though BIG-IP proxy exists. For more details to configure BIG-IP for flow stitching refer to https://github.com/f5devcentral/f5-tetration
After F5 BIG-IP IPFIX Collector Appliance is deployed, in the Tetration Flow Search panel, a “Related Flow” option is available:
What is Policy Enforcement ?
Tetration has the ability to map the application as it is running on the network, it can do workload behavior analysis and look at characteristics of workloads like; Do they run similar process ? Do they open similar ports? What kind of neighbors do they talk to? Are they part of the same service? ...and so on. All of this information is used to create a proper map of the application to create a whitelist policy which can be pushed to BIG-IP through Tetration Cluster. Based on the policy defined in Tetration, the enforcement agent can translate into L4 firewall rules and update F5 BIG-IP AFM (Advanced Firewall Manager) using REST API. The innovation extends the policy enforcement from the host level to L4-L7 ADV device, allowing an administrator to build a truly zero-trust data center model.
To learn more, visit:
Cisco Tetration F5 BIG-IP Solution Brief
Published Jul 09, 2019
Version 1.0
Sanjay_Shitole
Employee
EmployeeSanjay_ShitoleEmployee
Employee
SWJOCirrostratus
Hi
You did nice work!
I have some questions.
1. F5 BIG-IP IPFIX collector is something new product? or just appliance type?
2. How does ADC send traffic data to IPFIX collector? using mirror or clone pool?
3. picture in "application telemetry" client and server send data to cisco tetration, does both unit have to install something?
or just express both unit`s data is going to tetration?
- Sanjay_Shitole
hi swjo,
please see my comments below
1.F5 BIG-IP IPFIX collector is something new product? or just appliance type?
ans: F5 BIG-IP IPFIX collector is not a new product, you can use same existing BIG-IP or BIG-IP VE to send IPFIX traffic to a F5 Tetration Sensor(which is a new IPFIX collector build by Cisco Tetration )
2.How does ADC send traffic data to IPFIX collector? using mirror or clone pool?
ans: It uses separate data pool to send the data, you need to create a separate IPFIX Pool which is in the data plane you can find more details using this article
3.picture in "application telemetry" client and server send data to Cisco tetration, does both unit have to install something?
ans: Yes typically you will have Tetration Sensor installed on Client and Server which will send more detail information like process running on your system, packet out, security events etc, more details please refer to Cisco Tetration
Saul_Andres_RivAltostratus
Hi Sanjay Shitole
I have tried the step-by-step indicated in the article but I have not succeeded.
I downloaded the iRule found in Github, I associated it with a Virtual Server where I have a web application and it doesn't send data.
https://github.com/f5devcentral/f5-tetration
My version of TMOS is 12.1.4.1
Will you know if I have to perform any additional process?
Thank you.
regards
- Sanjay_Shitole
Hi Saul,
What type of Virtual server you are using? If its TCP please use https://github.com/f5devcentral/f5-tetration/blob/master/irules/Tetration_TCP_L4_ipfix.tcl
out of these 3 iRules, Also you can use the script to automatically upload and configure the irules for you. You can check the Protocol option of the Virtual server to confirm.
- Saul_Andres_Riv
Hi Sanjay Shitole
Yes, my virtual server is TCP and I am using that iRule. Being a web application, I also used the HTTP iRule
On the other hand, I used the script for the automatic process from my Mac but in none of the 3 cases it worked for me.
If you have any other suggestions, I would appreciate it.
regards
louisNimbostratus
May i know the performance impact to enable IPFIX on BigIP? Any reference data or lab data can be shared?
