Cisco Tetration Analytics is the latest Cisco innovation to provide visibility into everything in the data center in real-time. It is designed to help customers understand the applications running in the Data Centers, help them build policies around that application for the Data Center, and enforce the policy right down to the network or host level. To learn more about Cisco Tetration Analytics, please go to:
The F5 team has been working closely with the Cisco Tetration team to bring the rich L4-L7 data from BIG-IP into Tetration. We primarily focus on two enhancement areas:
Cisco Tetration uses sensors on switches, hosts to collect flow Data at high speed in the Data Center, the sensors annotates data with host specific information called context information which is send to Tetration Cluster for Analytics. Since most of the deployments will have BIG-IP in the Data Center acting as proxy due to which the flow is split into multiple flows and the context information is lost. BIG-IP integration with Cisco Tetration provides the complete end to end flow visibility for applications running in Data Center.
With F5 BIG-IP and Cisco Tetration integration, BIG-IP customers can enhance Tetration Analytics visibility by adding iRules to the virtual server:
How do I use Tetration with BIG-IP ?
You need to configure BIG-IP with Publisher log, IPFIX Pool and use TCP or UDP iRules to intercept the application traffic at various events. The IPFIX template on BIG-IP is created using iRules and it is send to the F5 Tetration Sensor which in turn forwards the flow details to the Tetration Cluster. Tetration Cluster can visualize the flow information in the Related flow tab on the Cluster, this helps the Operations folks to troubleshoot in case there is a problem or can visualize the complete flow information even though BIG-IP proxy exists. For more details to configure BIG-IP for flow stitching refer to https://github.com/f5devcentral/f5-tetration
After F5 BIG-IP IPFIX Collector Appliance is deployed, in the Tetration Flow Search panel, a “Related Flow” option is available:
What is Policy Enforcement ?
Tetration has the ability to map the application as it is running on the network, it can do workload behavior analysis and look at characteristics of workloads like; Do they run similar process ? Do they open similar ports? What kind of neighbors do they talk to? Are they part of the same service? ...and so on. All of this information is used to create a proper map of the application to create a whitelist policy which can be pushed to BIG-IP through Tetration Cluster. Based on the policy defined in Tetration, the enforcement agent can translate into L4 firewall rules and update F5 BIG-IP AFM (Advanced Firewall Manager) using REST API. The innovation extends the policy enforcement from the host level to L4-L7 ADV device, allowing an administrator to build a truly zero-trust data center model.