Cisco Tetration - Hands-On Lab

Appendix: Legacy Alternative Policy

Recent advancements in algorithmic efficencies have allowed the type of policy that has been shown throughout this lab. That which was computationally prohibitive prior to recently now allows such policy to make policy creation and ongoing operationalization much simpler.

A simple example of this algorithmic efficency can be denoted in the deceptively simple ability to use the boolean NOT operator. Take for instance the following example where someone wishes to categorize the big bad internet - in all of it’s hugeness. The current routing table (as of this writing) is nearing half a million prefixes and can be viewed by going to the Looking Glass Project.

Previously, if you wished to represent or categorize this in Tetration, you could use the Root Scope which essentially equated to your Tenant VRF ID, and represented the whole of all Internet prefixes, however also represented your own internal corporate prefixes, as well, that (generally speaking) fell into the RFC1918 category. While this worked fine from the perspective of the policy it generated for the end host workload built-in firewalls, it certainly didn’t make policy to terribly easy to read.

While it would seem that the type of policy we use today should have been perfectly fine to use then -that such as perhaps a Filter we might call “Internet” that consisted of a query such of 'Scope=Root' AND NOT 'RFC1918' (where of course RFC1918 was either another Filter or the enumerated RFC1918 space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16). The problem was, doing this would cause an unnecessary burden on both the computational calculation as well as the overwhelming amount of IP prefixes that would need to be programed into endpoint workload firewalls.

We could compensate for this with creative filter named apropriately, however it did mean we usually also had to use some creative policy that provided a workaround. Today due to the aforementioned efficiencies, we no longer have those impositions, and filters such as the previous example of 'Scope=Root' AND NOT 'RFC1918' are perfectly acceptable, and indeed caused us to go back and re-record all of our policy videos to show this preferred method of policy creation.

That being said, we thought there would innevitably be some older legacy versions of Tetration deployed in various on-prem locations, and felt that for that reason, it warranted this section that would show video highlighting those older, and sometimes merely alternative ways of creating policy and going into enforcement. While we don’t have any plans to enumerate any of these videos into detailed step-by-step screenshots and corresponding instructions, we nevertheless provide them here for your benefit, or perhaps simple amusement.

At any rate, enjoy.

Global Services