cancel
Showing results for 
Search instead for 
Did you mean: 
Login & Join the DevCentral Connects Group to watch the Recorded LiveStream (May 12) on Basic iControl Security - show notes included.
Sanjay_Shitole
F5 Employee
F5 Employee

Cisco Tetration Analytics is the latest Cisco innovation to provide visibility into everything in the data center in real-time. It is designed to help customers understand the applications running in the Data Centers, help them build policies around that application for the Data Center, and enforce the policy right down to the network or host level. To learn more about Cisco Tetration Analytics, please go to: 

 

http://www.cisco.com/go/tetration 

The F5 team has been working closely with the Cisco Tetration team to bring the rich L4-L7 data from BIG-IP into Tetration. We primarily focus on two enhancement areas:

  1. Application Telemetry
  2. Policy Enforcement 

 

Application Telemetry 

 

Cisco Tetration uses sensors on switches, hosts to collect flow Data at high speed in the Data Center, the sensors annotates data with host specific information called context information which is send to Tetration Cluster for Analytics. Since most of the deployments will have BIG-IP in the Data Center acting as proxy due to which the flow is split into multiple flows and the context information is lost. BIG-IP integration with Cisco Tetration provides the complete end to end flow visibility for applications running in Data Center. 

 

 

0151T000003kUWiQAM.png

 

With F5 BIG-IP and Cisco Tetration integration, BIG-IP customers can enhance Tetration Analytics visibility by adding iRules to the virtual server:

 

How do I use Tetration with BIG-IP ?

You need to configure BIG-IP with Publisher log, IPFIX Pool and use TCP or UDP iRules to intercept the application traffic at various events. The IPFIX template on BIG-IP is created using iRules and it is send to the F5 Tetration Sensor which in turn forwards the flow details to the Tetration Cluster. Tetration Cluster can visualize the flow information in the Related flow tab on the Cluster, this helps the Operations folks to troubleshoot in case there is a problem or can visualize the complete flow information even though BIG-IP proxy exists. For more details to configure BIG-IP for flow stitching refer to https://github.com/f5devcentral/f5-tetration 

 

 

0151T000003kUWsQAM.png

 

 

After F5 BIG-IP IPFIX Collector Appliance is deployed, in the Tetration Flow Search panel, a “Related Flow” option is available:

 0151T000003kyUiQAI.png

 


 

What is Policy Enforcement ? 

Tetration has the ability to map the application as it is running on the network, it can do workload behavior analysis and look at characteristics of workloads like; Do they run similar process ? Do they open similar ports? What kind of neighbors do they talk to? Are they part of the same service? ...and so on. All of this information is used to create a proper map of the application to create a whitelist policy which can be pushed to BIG-IP through Tetration Cluster. Based on the policy defined in Tetration, the enforcement agent can translate into L4 firewall rules and update F5 BIG-IP AFM (Advanced Firewall Manager) using REST API. The innovation extends the policy enforcement from the host level to L4-L7 ADV device, allowing an administrator to build a truly zero-trust data center model. 

 

 

0151T000003kUX7QAM.png

 

To learn more, visit:

Cisco Tetration F5 BIG-IP Solution Brief 


Comments
SWJO
Cirrostratus
Cirrostratus

Hi

 

You did nice work!

 

I have some questions.

 

1. F5 BIG-IP IPFIX collector is something new product? or just appliance type?

2. How does ADC send traffic data to IPFIX collector? using mirror or clone pool?

3. picture in "application telemetry" client and server send data to cisco tetration, does both unit have to install something?

or just express both unit`s data is going to tetration?

Sanjay_Shitole
F5 Employee
F5 Employee

hi swjo,

please see my comments below

1.F5 BIG-IP IPFIX collector is something new product? or just appliance type?

ans: F5 BIG-IP IPFIX collector is not a new product, you can use same existing BIG-IP or BIG-IP VE to send IPFIX traffic to a F5 Tetration Sensor(which is a new IPFIX collector build by Cisco Tetration )

2.How does ADC send traffic data to IPFIX collector? using mirror or clone pool?

ans: It uses separate data pool to send the data, you need to create a separate IPFIX Pool which is in the data plane you can find more details using this article

3.picture in "application telemetry" client and server send data to Cisco tetration, does both unit have to install something?

ans: Yes typically you will have Tetration Sensor installed on Client and Server which will send more detail information like process running on your system, packet out, security events etc, more details please refer to Cisco Tetration

 

Saul_Andres_Riv
Altostratus
Altostratus

Hi Sanjay Shitole

I have tried the step-by-step indicated in the article but I have not succeeded.

I downloaded the iRule found in Github, I associated it with a Virtual Server where I have a web application and it doesn't send data.

https://github.com/f5devcentral/f5-tetration

 

My version of TMOS is 12.1.4.1

Will you know if I have to perform any additional process?

Thank you.

regards

Sanjay_Shitole
F5 Employee
F5 Employee

Hi Saul,

What type of Virtual server you are using? If its TCP please use https://github.com/f5devcentral/f5-tetration/blob/master/irules/Tetration_TCP_L4_ipfix.tcl

out of these 3 iRules, Also you can use the script to automatically upload and configure the irules for you. You can check the Protocol option of the Virtual server to confirm.

Saul_Andres_Riv
Altostratus
Altostratus

Hi Sanjay Shitole

Yes, my virtual server is TCP and I am using that iRule. Being a web application, I also used the HTTP iRule

On the other hand, I used the script for the automatic process from my Mac but in none of the 3 cases it worked for me.

If you have any other suggestions, I would appreciate it.

regards

louis
Nimbostratus
Nimbostratus

May i know the performance impact to enable IPFIX on BigIP? Any reference data or lab data can be shared?

Version history
Last update:
‎09-Jul-2019 14:53
Updated by:
Contributors