Cisco Cisco Tetration Analytics G1 Libro blanco
© 2016 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 2 of 12
●
How to monitor live traffic in nearly real time to detect:
◦
Permitted traffic
◦
Mistakenly dropped traffic
◦
Escaped traffic
◦
Dropped traffic
Policy Compliance Use Cases
Automation has given the network operator a completely new level of flexibility in deploying cost-effective, scalable,
and maintainable data centers. However, with this approach, the operator loses a direct relationship with the
underlying device hardware. Given this abstraction that comes with most automation as well as configuration that is
in many cases generated by controllers (and perhaps not even be human readable), how do administrators verify
that their requirements have been truly programmed in the hardware? Without an automated method to validate
what is actually happening, only the illusion of security may be in place, with vulnerabilities eventually surfacing
many months later after a critical issue occurs.
However, large, non-explicitly policy-based networks (that is, standalone network architectures) face the same
issue. In this case, though, the responsibility for rendering the business and security policy (there is always a
logical policy that a data center attempts to follow) is at the hands of the network team. This team usually must
manually maintain a distributed set of distinct configuration files to deliver the desired end-to-end policy for the
network. The need to validate the configuration is working correctly and the accuracy of the security policies is the
same.
Figure 1 shows both approaches.
Figure 1. The Same Business Intent Rendered Using a Controller-Based Approach and Using an Operator-Guided Approach