It will also ease implementation of firewalls and other security services that go beyond OpenStack’s “namespaces on a Linux box” security, he says.
“For a lot of our client base, that is totally unacceptable,” Weise says. Plus, some might have specific reasons for why they want to use Palo Alto Networks (firewalls) or (Cisco) ASA with intrusion protection. That kind of capability doesn’t comes easy with the way OpenStack is now so we have to use ACI to add network security-as-a-service on top of the services that are already there.”
Weise says a mix of different technologies will be used in conjunction with OpenStack group-based policy and ACI group-based policy to meet the “stringent requirements” of KeyInfo’s customers.
KeyInfo is not using the OpFlex policy protocol, developed by Cisco, Microsoft, IBM, Citrix and Sungard, to push group-based policies out to the infrastructure, though it is an option, Weise says. Another is middleware from a third-party vendor to do that through ACI API calls, he says.
“We’re trying to stay away from being too much of a middleman” for translating and instantiating policies, Weise says.
The biggest challenge in implementing ACI was leaving the old CLI routines behind when defining, configuring and administering group-based policy, Weise says. The biggest benefit is the automation of configuring end point groups vs. manually touching each device in that group.
Sign up for CIO Asia eNewsletters.