Part 2: Sensor Deployment in Cisco Secure Workload (Cisco Tetration)

Sensor Deployment in Cisco Secure Workload (Cisco Tetration)

Telemetry data is collected using sensors by Cisco Tetration Analytics. The Cisco Tetration Analytics currently supports two types of sensors. Cisco Tetration Analytics platforms transmit the flow information in real time to both sensors

Fig 1.1- Cisco Secure Workload with ISE

Software sensors
Software sensors are installed on the servers (virtual machine or bare-metal server)

  • For Linux and Windows server-based environments, Deep Visibility Agents are available. In addition to collecting telemetry, these sensors also act as policy enforcement points.
  • Deep Visibility Agents are complemented by Enforcement Agents, which provide all capabilities available to Deep Visibility Agents. A firewall rule can also be set by Enforcement agents on the host where they are installed.
  • When they are used with certain older operating systems, universal-visibility agents provide just the conversation view required to analyze applications and generate policies

Hardware sensors:
Hardware sensors are embedded into the switch ASIC itself. They collect flow data at line rate from all the ports. Hardware sensors are built-in on Nexus 9000(EX/FX/FX2) series Switches.

Sensors communicate via IP to the Tetration collectors. Both hardware and software sensors accomplish this without impeding traffic and are not in the data path. Software sensors require TCP ports 443 and 5640/5660 for access to the collectors and hardware sensors utilize UDP.

In the event of putting the Tetration Analytics platform behind a firewall, the following ports and protocols are required to support connectivity to and from the sensor and the collectors. Normal sensor requires two channels for communications, the control channel and the data channel.

We will come up more insight with the Cisco Secure workload in our next article soon. Stay tuned.