Cisco announced last week that its rapidly expanding ACI ecosystem now includes the A10 Networks aCloud Services Architecture based on the Thunder ADC Application Delivery Controllers, as well as the Catbird IDS/IPS virtual security solutions. These new ACI ecosystem vendors are announcing support for the ACI policy model and integration with the Application Infrastructure Policy Controller (APIC) which will accelerate and automate deployment and provisioning of these services into application networks. This should also resolve any speculation that the ACI ecosystem would not be including technology vendors that compete with Cisco’s other lines of business, as Cisco expands the solution alternatives for customers.
Each of the solutions will rely on two primary capabilities of the APIC and ACI to provide a policy-based automation framework and policy-based service insertion technology. A policy-based automation framework enables resources to be dynamically provisioned and configured according to application requirements. As a result, core services such as firewalls, application delivery controllers (ADC) and Layer 4 through 7 switches can be consumed by applications and made ready to use in a single automated step.
A policy-based service insertion solution automates the step of routing network traffic to the correct services based on application policies. The automated addition, removal, and reordering of services allows applications to quickly change the resources that they require without the need to rewire and reconfigure the network or relocate the services. For example, if the business decision is made to use a web application firewall found in a modern ADC as a cost-effective way of achieving PCI compliance, administrators would simply need to redefine the policy for the services that should be used for the related applications. The Cisco APIC can dynamically distribute new policies to the infrastructure and service nodes in minutes, without requiring the network be manually changed.
A10 Thunder™ ADC product line of high-performance, next-generation application delivery controllers enables customers’ applications to be highly available, accelerated and secure. Thunder ADCs deliver performance scalability up to 150 Gbps. The unique joint Cisco ACI and A10 Networks ADC solution improves data center operations and application deployment, using the Cisco APIC as the central policy control and management station and Cisco ACI service-insertion technology to direct traffic to the appropriate service nodes. A10 Thunder ADC and vThunder virtual appliances leverage Cisco ACI to deliver a comprehensive ADC cloud vision, with health telemetry to provide customizable and complete application flow management.
A10’s new integration with the Cisco ACI Infrastructure enables joint data center customers to implement a single network policy via the Cisco APIC controller to ensure application acceleration and availability and network security, as well as other network services from a central, automated orchestration system. This will allow automatically provisioned layer 4-7 network services within the ACI fabric (see below).
The integration of the Cisco ACI architecture with Catbird delivers an asset-based approach for compliance automation and enforcement. Catbird organizes applications into shared policy groups, called TrustZones®. Catbird TrustZones policy is applied based upon published compliance standards and frameworks, continuously monitoring for configuration changes, gathering evidence of control for audit, and taking immediate enforcement actions in case of changes that may compromise security and compliance posture.
Cisco ACI enables Catbird insertion anywhere in the network fabric, providing centralized management, ensuring automated security and compliance policy and elastic scaling. With Cisco ACI and Catbird, policy compliance is now continuous, enforced in real-time and fully automated, with visibility and control that exceeds that which is possible in conventional physical environments. The combined solution, with Catbird supporting the ACI policy model and APIC controller, will provide active policy automation and enforcement of industry standards such as PCI DSS 3.0, ISO 27001, HIPAA, and FISMA, reducing the cost and complexity of compliance and increasing the flexibility and elasticity of the application network.
Integrating L4-7 Services in the Open ACI Architecture
So, when technology vendors like these expressly commit to supporting the ACI architecture, what is the integration model to the APIC controller and the ACI fabric? First of all, service automation requires a vendor device package (see below), which is an XML structure defining the attributes, policies and capabilities of the supported L4-7 device. When APIC provisions new application networks that require these services, the device package is loaded into APIC, along with device-specific Python scripts. APIC then uses the device configuration model to pass appropriate configuration details to the device. Script handlers on the device are integrated through REST APIs on the device or CLI.