Cisco began shipping ACI in July 2014 and then announced a host of enhancements last June. This latest software drop also includes integration with Docker containers as well as ACI support for policy-based cloud automation with VMware vRealize Automation and OpenStack deployments.
With microsegmentation, users can dynamically enforce forwarding and security policies, as well as quarantine compromised endpoints based on virtual-machine or network attributes. The company has been delivering micro-segmentation for the past three quarters with the Cisco Application Virtual Switch, says Srini Kotamraju, a Cisco director of product management.
“The news on the security front is we’re now extending that same functionality, the microsegmentation, to these new virtual and physical environments,” he says. Microsegmentation also allows organizations to isolate workloads within the same policy group through policy-based automation.
Microsegmentation for Microsoft Hyper V switches is available now, while the VMware and bare-metal implementations will be available in the first quarter of next year.
With Cisco’s Application Policy Infrastructure Controller (APIC), which is an element of ACI, and Project Contiv, customers can now extend ACI into Docker container endpoints. Contiv, an open source project started by Cisco, is designed to define concepts of operational polices in the container environment, says Cisco Director of Product Management Mike Cohen. With Project Contiv, ACI policies can now be implemented across Linux kernel containers.
“Project Contiv includes a Docker networking plug-in that allows the containers to have networking configured to connect to our ACI fabric, and it also includes a layer that can speak directly to the APIC API using Contiv policy interfaces,” Cohen says. “We’re focused on Docker today, but we’re looking at Kubernetes, Mesos, and other solutions that are emerging in the market.”
With OpenStack and ACI, organizations get access to a fully distributed Neutron networking stack, including distributed switching, routing, and network address translation (NAT), using Cisco’s fabric and its OpFlex agent with the hypervisor. Cisco is extending ACI policy directly into the hypervisor using OpFlex on Open Virtual Switch (OVS). OpFlex provides the policy-based integration with OpenStack and APIC.
While ACI currently supports OpenStack’s Juno and Kilo versions, it will support Liberty in the near future, Cohen says. Cisco named Red Hat, Canonical, and Mirantis as OpenStack distributors that it’s currently working with.
Other updates to ACI include:
- Policy-based automation across multiple data centers through its “multisite app” in its ACI Toolkit. The multi-site app can synchronize policy across multiple data centers to enable faster disaster recovery and application mobility.
- Support for automated service insertion for any Layer 4-7 service without a device package.