Cisco Tetration Analytics, Release , Release Notes

Transcription

1 Cisco Tetration Analytics, Release , Release Notes This document describes the features, caveats, and limitations for the Cisco Tetration Analytics software. The Cisco Tetration Analytics platform is designed to address number of data center operational and security challenges comprehensively using rich traffic telemetry collected from both servers and Cisco Nexus switches. The platform performs advanced analytics using an algorithmic approach and enforces a consistent whitelist policy for applications. This algorithmic approach includes unsupervised machine-learning techniques and behavioral analysis. The platform provides a ready-to-use solution supporting the following use cases: Provide behavior-based application insight to implement automated whitelist policy Provide automated application segmentation to enable efficient and secure zero-trust deployment Provide consistent policy enforcement across on-premises data centers and private and public clouds Identify process behavior deviations and software vulnerabilities and exposure to reduce attack surface Identify application behavior changes and policy compliance deviations in near-real time Support comprehensive telemetry processing in a heterogeneous environment to provide actionable insight within minutes Comprehensive network performance metrics based on the telemetry collected from both switches and the servers Enable long-term data retention for deep forensics, analysis, and troubleshooting To support the analysis and various use cases within the Cisco Tetration Analytics platform, consistent telemetry is required from across the data center infrastructure. Rich Cisco Tetration Analytics telemetry is collected using sensors. There are two types of sensors in this release: hardware and software (host). With these two types of sensors, this solution is designed to support both existing (brownfield) and new (greenfield) data center infrastructures. Software (host) sensors can be installed on any end host (virtualized or bare metal) servers. These sensors act as the enforcement point for the application segmentation policy that the platform generates. Using this approach, the Cisco Tetration Analytics platform provides consistent enforcement across public, private, and on-premises deployments. Sensors enforce the policy using native operating system capabilities, thereby eliminating the need for the sensor to be in the data path and providing a fail-safe option.additional product documentation is listed in the "Related Documentation" section. The release notes are sometimes updated with new information about restrictions and caveats. See the following website for the most recent version of this document: Table 1 shows the online change history for this document. Table 1 Online History Change Date April 19, 2018 Description Release became available. Cisco Systems, Inc. 1

2 Contents Contents This document includes the following sections: New and Changed Information Caveats Compatibility Information Usage Guidelines Related Documentation New and Changed Information This section lists the new and changed features in this release and includes the following topics: New Software Features New Software FeaturesThe following new software features are available in this release: Full visibility and policy enforcement support extended to include containers as a Beta functionality in this release. This release supports software sensors for the following container host OS version: Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4 CentOS Release 7.1, 7.2, 7.3, 7.4 Ubuntu Release Kubernetes integration is required for container enforcement and proper visibility Support is added for Netflow v9/ipfix records-based Cisco Tetration Analytics telemetry generation. This feature: Augments telemetry from parts of the network where software or hardware sensors are not feasible. Supports Netflow v9 or IPFIX. NetFlow sensor cannot be deployed on any VM. It should be deployed on a VM created from the signed NetFlow OVA. Configuration change is not supported for NetFlow Sensor. Other software sensor related updates in this release: All deep visibility software agents now invoke a secondary executable called "tet-worker." This new executable handles gathering of process information and improves privileges separation. If the forensics feature is enabled, the tet-sensor and tet-worker will each be allowed to use up to the configured CPU usage threshold. If forensics feature is disabled, by default, each will be allowed to use 3% of one core only. Windows Only: The agent now exports all known processes so as to provide complete process trees, but "protected" processes will have some fields missing as they are inaccessible from the agent. Such processes report the system boot-up time in place of uptime. Process ID lookup (associating network flows with running processes) are supported for both Linux and Windows. There are no guarantees that all flows will be populated with process information. When Process ID lookup feature is off, sometimes the processes are still visible for the flows due to backend doing best-effort heuristic. Linux Only: Side-channel attack detection (Spectre or Meltdown) can be enabled on supported kernels by adding "sidechannel_enable: true" to the sensor config file. Note that this feature is experimental and should be tested before deployment in a production environment. Windows Only: If Wireshark is also capturing the packets, then pcap driver will report duplicate packets and byte count for transmitted ICMP/TCP/UDP packets. Sensor Upgrade changes in this release: Enabled/disable auto upgrade option in "Software Agent Config" page decides the upgrade behavior for agents in for software agents. Auto upgrade on/off organization wide option on Company page is removed in

3 New and Changed Information For ERSPAN, Netflow, Citrix Netscalar, and F5 auto upgrade option in Default Agent Profile (catch all profile) is applicable. Software upgrades are not supported for Universal Visibility Agents. Hardware agents are always auto upgraded. The following workload protection features are included in this release: Process snapshot view to provide tree view of all the server process executed on the server Identify process behavior deviations to capture: Privilege escalation Shell code execution Raw socket creation Side channel attacks Side channel meltdown Unseen command User logon failures Configure process related forensic events, severity and scope to which the events should be associated by using one or more of behavior deviations. Discover all the software packages installed on the server including version and distributor information. Identify if any of the software version has known vulnerabilities and exposures by using known CVE database that is included in this release. Provide details about the CVEs including CVE score and severity. Inventory search extended to include search based on CVE ID, CVE score and package information. Create inventory filters using CVE ID, CVE score and package information. Use these inventory filters to define policies to restrict or quarantine workloads. External orchestrator integration extended to support Kubernetes and Openshift for container visibility and policy enforcement. Information from Kubernetes and Openshift is used as annotation which can be used in flow search and also in policy definitions. When a Kubernetes service that has node ports in the provider inventory filter of multiple policies, some with an ALLOW action and others with a DENY action, the ALLOW policy must have higher priority, otherwise the ALLOW action won t be effective. Kubernetes services matching an inventory filter do not appear in the UI. They still function properly for enforcement purposes. Kubernetes Golden Rules UI accepts hostnames for services to be added in the golden rules, but they are not applied. Only IPv4 addresses are supported. Enforcement agents running on Kubernetes hosts have to be configured with the preserve rules option enabled. Look out app to add additional annotations and generate alerts based on these annotations. This app is automatically enabled on root scopes (up to 10 root scopes). This app will add inventory annotations based on UAS fetched IP blacklist data. This app will also alert on flows containing user added lookout annotation tags. Neighborhood graph externsions to define alerts based on SRTT measurements, cluster membership count and number of hops information. Other enhancements to neighborhood graphs include: Neighborhood App now incorporates clusters and filters from Live Analysis profile Neighborhood now runs in continuous mode rather than latest batch mode Compliance, Neighborhood, and Fabric alerts now support summary alert options, allowing the user to roll-up alerts to a less frequent interval than originally generated. Updates on CMDB uploads: There is a limit of 1.5 million IP addresses with associated tags per root scope; and a limit of 30K subnets with associated annotations per root scope in The Cisco Tetration Analytics platform uses rich dataplane telemetry from hardware sensors to provide Network Performance, Monitoring and Diagnostics capability, on ACI fabric. Following NPMD enhancements are implemented in this release: Burst detection Correlating traffic burst to packet drops Define alerts based on latency, packet drop indicators, traffic throughput and burst information Network Topology visualization and drill down for these new metrics Time-series view for all the performance indicators including network topology The Cisco Tetration Analytics platform flow search capabilities extended to provide related flow information when traffic goes through a load balancer such as Netscaler or F5. This requires IPFIX export from Netscaler or F5 loadbalancers. The Cisco Tetration Analytics platform now provides application whitelist policy information through Kafka message bus. Northbound systems can subscribe to this policy information and use it for enforcement through other mechanisms. Data platform updates: 3

4 New and Changed Information Datasinks: Datasinks created previous releases of Cisco Tetration Analytics will not work on Data platform admin can delete and create new Datasinks in Compliance App Key ID has changed to incorporate trigger conditions. If snooze is setup for certain alerts those may have to set again. Double-enter no longer required in Alert Configuration Modal when configuring compliance alerts. Data Platform has migrated from tenant to root scope based. Shared data and app data will be root scope based. Internal Kafka cluster now supports a feature called "Managed Data Taps" (MDTs) An "Alerts" MDT is automatically created for each root scope. This Alerts MDT can be used for sending alerts to, in place of, or in addition to prior external Data Taps. User authorization now supported using active directory role names User authentication support extended to support single sign-on using SAML 2.0 The Cisco Tetration Analytics hardware appliance can now be enabled to send syslog messages for server hardware related events and software Bosun alerts. The Cisco Tetration Analytics platform now provides license usage information based on number of software sensors, hardware sensors, ERSPAN and Netflow sensors. The Cisco Tetration Analytics platform by default is enabled to send platform statistics to Cisco for troubleshooting, maintenance and other analysis. This does not include any personally identifiable information or any information about any of the customer workloads. The Cisco Tetration Analytics virtual appliance model is extended to run on customer provided hardware in a VMWare ESXi based environment. Virtual appliance specifications can be found in the Cisco Tetration Analytics platform datasheet - The following new software features are available in this release: Full visibility and policy enforcement support extended to include containers as a Beta functionality in this release. This release supports software sensors for the following container host OS version: Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4 CentOS Release 7.1, 7.2, 7.3, 7.4 Ubuntu Release Kubernetes integration is required for container enforcement and proper visibility Support is added for Netflow v9/ipfix records-based Cisco Tetration Analytics telemetry generation. This feature: Augments telemetry from parts of the network where software or hardware sensors are not feasible. Supports Netflow v9 or IPFIX. NetFlow sensor cannot be deployed on any VM. It should be deployed on a VM created from the signed NetFlow OVA. Configuration change is not supported for NetFlow Sensor. Other software sensor related updates in this release: All deep visibility software agents now invoke a secondary executable called "tet-worker." This new executable handles gathering of process information and improves privileges separation. If the forensics feature is enabled, the tet-sensor and tet-worker will each be allowed to use up to the configured CPU usage threshold. If forensics feature is disabled, by default, each will be allowed to use 3% of one core only. Windows Only: The agent now exports all known processes so as to provide complete process trees, but "protected" processes will have some fields missing as they are inaccessible from the agent. Such processes report the system boot-up time in place of uptime. Process ID lookup (associating network flows with running processes) are supported for both Linux and Windows. There are no guarantees that all flows will be populated with process information. When Process ID lookup feature is off, sometimes the processes are still visible for the flows due to backend doing best-effort heuristic. Linux Only: Side-channel attack detection (Spectre or Meltdown) can be enabled on supported kernels by adding "sidechannel_enable: true" to the sensor config file. Note that this feature is experimental and should be tested before deployment in a production environment. Windows Only: If Wireshark is also capturing the packets, then pcap driver will report duplicate packets and byte count for transmitted ICMP/TCP/UDP packets. Sensor Upgrade changes in this release: Enabled/disable auto upgrade option in "Software Agent Config" page decides the upgrade behavior for agents in for software agents. Auto upgrade on/off organization wide option on Company page is removed in

5 New and Changed Information For ERSPAN, Netflow, Citrix Netscalar, and F5 auto upgrade option in Default Agent Profile (catch all profile) is applicable. Software upgrades are not supported for Universal Visibility Agents. Hardware agents are always auto upgraded. The following workload protection features are included in this release: Process snapshot view to provide tree view of all the server process executed on the server Identify process behavior deviations to capture: Privilege escalation Shell code execution Raw socket creation Side channel attacks Side channel meltdown Unseen command User logon failures Configure process related forensic events, severity and scope to which the events should be associated by using one or more of behavior deviations. Discover all the software packages installed on the server including version and distributor information. Identify if any of the software version has known vulnerabilities and exposures by using known CVE database that is included in this release. Provide details about the CVEs including CVE score and severity. Inventory search extended to include search based on CVE ID, CVE score and package information. Create inventory filters using CVE ID, CVE score and package information. Use these inventory filters to define policies to restrict or quarantine workloads. External orchestrator integration extended to support Kubernetes and Openshift for container visibility and policy enforcement. Information from Kubernetes and Openshift is used as annotation which can be used in flow search and also in policy definitions. When a Kubernetes service that has node ports in the provider inventory filter of multiple policies, some with an ALLOW action and others with a DENY action, the ALLOW policy must have higher priority, otherwise the ALLOW action won t be effective. Kubernetes services matching an inventory filter do not appear in the UI. They still function properly for enforcement purposes. Kubernetes Golden Rules UI accepts hostnames for services to be added in the golden rules, but they are not applied. Only IPv4 addresses are supported. Enforcement agents running on Kubernetes hosts have to be configured with the preserve rules option enabled. Look out app to add additional annotations and generate alerts based on these annotations. This app is automatically enabled on root scopes (up to 10 root scopes). This app will add inventory annotations based on UAS fetched IP blacklist data. This app will also alert on flows containing user added lookout annotation tags. Neighborhood graph externsions to define alerts based on SRTT measurements, cluster membership count and number of hops information. Other enhancements to neighborhood graphs include: Neighborhood App now incorporates clusters and filters from Live Analysis profile Neighborhood now runs in continuous mode rather than latest batch mode Compliance, Neighborhood, and Fabric alerts now support summary alert options, allowing the user to roll-up alerts to a less frequent interval than originally generated. Updates on CMDB uploads: There is a limit of 1.5 million IP addresses with associated tags per root scope; and a limit of 30K subnets with associated annotations per root scope in The Cisco Tetration Analytics platform uses rich dataplane telemetry from hardware sensors to provide Network Performance, Monitoring and Diagnostics capability, on ACI fabric. Following NPMD enhancements are implemented in this release: Burst detection Correlating traffic burst to packet drops Define alerts based on latency, packet drop indicators, traffic throughput and burst information Network Topology visualization and drill down for these new metrics Time-series view for all the performance indicators including network topology The Cisco Tetration Analytics platform flow search capabilities extended to provide related flow information when traffic goes through a load balancer such as Netscaler or F5. This requires IPFIX export from Netscaler or F5 loadbalancers. The Cisco Tetration Analytics platform now provides application whitelist policy information through Kafka message bus. Northbound systems can subscribe to this policy information and use it for enforcement through other mechanisms. Data platform updates: 5

6 Caveats Datasinks: Datasinks created previous releases of Cisco Tetration Analytics will not work on Data platform admin can delete and create new Datasinks in Compliance App Key ID has changed to incorporate trigger conditions. If snooze is setup for certain alerts those may have to set again. Double-enter no longer required in Alert Configuration Modal when configuring compliance alerts. Data Platform has migrated from tenant to root scope based. Shared data and app data will be root scope based. Internal Kafka cluster now supports a feature called "Managed Data Taps" (MDTs) An "Alerts" MDT is automatically created for each root scope. This Alerts MDT can be used for sending alerts to, in place of, or in addition to prior external Data Taps. User authorization now supported using active directory role names User authentication support extended to support single sign-on using SAML 2.0 The Cisco Tetration Analytics hardware appliance can now be enabled to send syslog messages for server hardware related events and software Bosun alerts. The Cisco Tetration Analytics platform now provides license usage information based on number of software sensors, hardware sensors, ERSPAN and Netflow sensors. The Cisco Tetration Analytics platform by default is enabled to send platform statistics to Cisco for troubleshooting, maintenance and other analysis. This does not include any personally identifiable information or any information about any of the customer workloads. The Cisco Tetration Analytics virtual appliance model is extended to run on customer provided hardware in a VMWare ESXi based environment. Virtual appliance specifications can be found in the Cisco Tetration Analytics platform datasheet - Caveats This section contains lists of open and resolved caveats and known behaviors. Open Caveats Resolved Caveats Known Behaviors Open Caveats The following table lists the open caveats in this release. Click the bug ID to access the Bug Search Tool and see additional information about the bug. Table 2 Open Caveats Bug ID Description CSCvj03081 CSCvj03331 Container enforcement may fail if a custom rule is added inside a pod namespace. External Orchestrators configured using x might lose the hosts_list field upon upgrade to x images. Resolved Caveats The following table lists the resolved caveats in this release. Click the bug ID to access the Bug Search Tool and see additional information about the bug. 6

7 Compatibility Information Table 3 Resolved Caveats Bug ID CSCvi84545 CSCvi42657 CSCvh92115 CSCvj03179 Description VMware vcenter tagging is not associated with the VM's secondary IP address of the NIC. Windows deep visibility agents builds up the state leading to over consumption of memory over time. ADM is not able to associated flows with the granular correct child scope. Druid middle managers were removed with the patch. Known Behaviors This section describes the known behaviors in the this release. The Cisco Tetration Analytics software sensor on a Windows server will not be able to capture packets exchanged through the newly created network team interface, if team interface is created after the npcap driver is already started. In this scenario use the following workaround: From administrative command shell, issue the following commands: 1) > net stop windowstetengine 2) > net stop npcap 3) > net start npcap 4) > net start windowstetengine. When using hardware sensor in Cisco Nexus 93180YC-EX, 93108TC-EX, 93180LC-EX, 93180YC-FX, and 93108TC-FX switches in Cisco ACI or Cisco NX-OS mode, flow duration in Cisco Tetration Analytics may show a negative value or incorrect value because of a switch registry configuration bug. See the Cisco ACI bug ID CSCvg34735 and NX-OS bug ID CSCvg31652 for more information and a resolution. Cisco Nexus 9000 series switches can support up to 32K or 64K flows per switch or line card depending on switch type. However, hash collisions can occur at a lower rate, thus resulting in some flows being not reported or flow state not being updated correctly. The Cisco Tetration Analytics software uses more compute to deal with such scenarios, which may reduce the overall supported ingest flow rate. When user submits an ADM run, depending on the number of endpoints in the scope associated with the ADM workspace as well as the chosen time range, ADM jobs can take up to 12 hours to finish. In such scenarios of long running ADM jobs, the progress bar indicator is not a true reflection of ADM job s progress and can sometimes give an incorrect perception of job being 'stuck'. Users are encouraged to be patient with long running ADM jobs. For inventory tags, uploading a CSV file with only IP addresses and no other attributes, or setting an inventory tag without setting the "attributes" field in the payload is not supported and can result in attributes not being indexed. If such scenario occurs use the workaround below to recover: Download annotations for the scope. Clear existing annotations for the scope. Upload again the downloaded CSV after making sure that it contains a minimum of two columns (one of them being IP address). Searching for orchestrator tags in the UI (starting with the letters or ) gets auto-completed to the OR operator instead. Workaround is to search for tags by starting with 'ch' rather than 'or'. If a Cisco Tetration Analytics cluster is in an unhealthy state for an extended period of time, then there's a potential of losing data during the period for which cluster was in an unhealthy state. Any data collected prior to the cluster going into this unhealthy state is retained. Compatibility Information The software sensors in release supports the following operating systems (virtual machines and bare-metal servers) for legacy deep visibility and deep visibility: Linux: CentOS-5.x: 5.1 to 5.11 CentOS-6.x: 6.1 to 6.9 CentOS-7.x: 7.0, 7.1, 7.2, 7.3 and 7.4 Redhat Enterprise Linux-5.x: 5.1 to 5.11 Redhat Enterprise Linux-6.x: 6.1 to 6.8 Redhat Enterprise Linux-7.x: 7.0, 7.1, 7.2, 7.3 and 7.4 OracleLinuxServer-6.x: 6.5 7

8 Compatibility Information OracleLinuxServer 7.0, 7.1, 7.2, 7.3 and 7.4 SUSE Linux-11.x: 11.2, 11.3, and 11.4 SUSE Linux-12.x: 12.0, 12.1 and 12.2 Ubuntu Unbuntu and Ubuntu Windows Server (64-bit): Windows Server 2008 Datacenter Windows Server 2008 Enterprise Windows Server 2008 Essentials Windows Server 2008 Standard Windows Server 2008R2 Datacenter Windows Server 2008R2 Enterprise Windows Server 2008R2 Essentials Windows Server 2008R2 Standard Windows Server 2012 Datacenter Windows Server 2012 Enterprise Windows Server 2012 Essentials Windows Server 2012 Standard Windows Server 2012R2 Datacenter Windows Server 2012R2 Enterprise Windows Server 2012R2 Essentials Windows Server 2012R2 Standard Windows Server 2016 Standard Windows Server 2016 Essentials Windows Server 2016 Datacenter Windows VDI desktop Client: Microsoft Windows 7 Microsoft Windows 7 Pro Microsoft Windows 7 Home Microsoft Windows 7 Enterprise Microsoft Windows 8 Microsoft Windows 8 Pro Microsoft Windows 8 Home Microsoft Windows 8 Enterprise Microsoft Windows 8.1 Microsoft Windows 8.1 Pro Microsoft Windows 8.1 Home Microsoft Windows 8.1 Enterprise Microsoft Windows 10 Microsoft Windows 10 Pro Microsoft Windows 10 Home Microsoft Windows 10 Enterprise This release also supports the following container host OS version for full visibility: Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4 CentOS Release 7.1, 7.2, 7.3, 7.4 Ubuntu Release The release supports the following operating systems for the policy enforcement add-on capability: Linux: CentOS-6.x: 6.1 to 6.9 CentOS-7.x: 7.0, 7.1, 7.2, 7.3 and 7.4 Redhat Enterprise Linux-6.x: 6.1 to 6.9 Redhat Enterprise Linux-7.x: 7.0, 7.1, 7.2, 7.3 and 7.4 SUSE Linux-11.x: 11.2, 11.3, and 11.4 SUSE Linux-12.x: 12.0, 12.1 and

9 Compatibility Information OracleLinuxServer-6.x: 6.0 to 6.9 OracleLinuxServer 7.0, 7.1, 7.2, 7.3 and 7.4 Ubuntu and Ubuntu Windows Server (64-bit): Windows Server 2008 Datacenter Windows Server 2008 Enterprise Windows Server 2008 Essentials Windows Server 2008 Standard Windows Server 2008R2 Datacenter Windows Server 2008R2 Enterprise Windows Server 2008R2 Essentials Windows Server 2008R2 Standard Windows Server 2012 Datacenter Windows Server 2012 Enterprise Windows Server 2012 Essentials Windows Server 2012 Standard Windows Server 2012R2 Datacenter Windows Server 2012R2 Enterprise Windows Server 2012R2 Essentials Windows Server 2012R2 Standard Windows Server 2016 Standard Windows Server 2016 Essentials Windows Server 2016 Datacenter This release also supports the following container host OS version for policy enforcement: Red Hat Enterprise Linux Release 7.1, 7.2, 7.3, 7.4 CentOS Release 7.1, 7.2, 7.3, 7.4 Ubuntu Release The release supports the following operating systems for the universal visibility sensor : Linux 32-bit and 64-bit (CentOS 4.x, RHEL 4.x, CentOS 5.x, RHEL 5.x, etc.,) Windows Server (32-bit and 64-bit) Solaris 11 on x86 (64-bit) AIX 5.3, 6.1, 7.1 and 7.2 The release supports the following Cisco Nexus 9000 series switches in NX-OS and ACI mode: Table 4 Supported Cisco Nexus 9000 Series Switches in NX-OS and ACI Mode Product line Platform Minimum Software release Product line Platform Minimum Software release Cisco Nexus 9300 platform switches (NX-OS mode) Cisco Nexus 92160YC-X Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX Cisco Nexus 93180YC-FX, 93108TC-FX, and 9348GC-FXP Cisco NX-OS Release 7.0(3)I5(2) and later Cisco NX-OS Release 7.0(3)I5(2) and later Cisco NX-OS Release 7.0(3)I7(2) and later Cisco Nexus 9300 platform switches (ACI mode) Cisco Nexus 93180YC-EX, 93108TC-EX, and 93180LC-EX Cisco Application Centric Infrastructure (Cisco ACI ) Release 2.2(2e) and later Cisco Nexus 93180YC-FX, 93108TC-FX** Cisco ACI Release 2.3(1f) and later Cisco Nexus 9348GC-FXP Cisco ACI Release 3.0 and later Cisco Nexus 9500 series switches with N9K-X9736C-FX linecards only Cisco ACI Release 3.1 and later **Network performance features using hardware sensors is supported only in Cisco ACI mode with release 3.1 or later. 9

10 Usage Guidelines Usage Guidelines This section lists usage guidelines for the Cisco Tetration Analytics software. You must use the Google Chrome browser version or later to access the web-based user interface. This release supports the collection of telemetry and analytics from hardware sensors on Nexus 9300-EX switches. However, you must define the collection rules. After setting up your DNS, browse to the URL of your Cisco Tetration Analytics cluster: Verified Scalability Limits The following tables provide the scalability limits for Cisco Tetration (39-RU), Cisco Tetration-M (8-RU), and Cisco Tetration Cloud: Table 5 Scalability Limits for Cisco Tetration (39-RU) Configurable Option Number of workloads Flow features per second Number of hardware sensor enabled Cisco Nexus 9000 series switches Scale Up to 25,000 (VM or Baremetal) Up to 2 Million Up to 100 Note: Supported scale will always be based on which ever parameter reaches the limit first Table 6 Scalability Limits for Cisco Tetration-M (8-RU) Configurable Option Number of workloads Scale Up to 5,000 (VM or Baremetal) Flow features per second Up to 500,000 Number of hardware sensor enabled Cisco Nexus 9000 series switches Up to 100 Note: Supported scale will always be based on which ever parameter reaches the limit first Table 7 Scalability Limits for Cisco Tetration Virtual (Amazon Web Services or Microsoft Azure or VMWare ESXi) Configurable Option Number of workloads Scale Up to 1,000 (VM or Baremetal) Flow features per second Up to 200,000* Number of hardware sensor enabled Cisco Nexus 9000 series switches Not supported Note: Supported scale will always be based on which ever parameter reaches the limit first. Flow features per second scale is applicable only for AWS and Microsoft Azure deployments. Related Documentation The Cisco Tetration Analytics documentation can be accessed from the following websites: Tetration Analytics Platform Datasheet: 10

11 Related Documentation General Documentation: The documentation includes installation information and release notes. Table 8 Installation Documentation Document Cisco Tetration Analytics Cluster Deployment Guide Description Describes the physical configuration, site preparation, and cabling of a single- and dual-rack installation for Cisco Tetration (39-RU) platform and Cisco Tetration-M (8- RU). Cisco Tetration Cloud Deployment Guide Describes the deployment of Cisco Tetration Cloud in Amazon Web Services. Document Link: ation/b_tetration_cloud_setup.pdf Cisco Tetration Cluster Upgrade Guide Documentation Link: Document Link:

12 Related Documentation Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: Third-party trademarks mentioned are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R) Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental Cisco Systems, Inc. All rights reserved. 12