News

Cisco's ACI Software-Defined Networking Platform Gets Docker Container Support

• By David Ramel
• 12/04/2015

Cisco Systems Inc. updated its software-defined networking (SDN) platform, Application Centric Infrastructure (ACI), adding support for Docker container technology, tighter security and more.

ACI is Cisco's answer to the growing SDN movement that's disrupting the traditional enterprise networking industry, which was basically owned by the company. While it features many key tenets of SDN -- such as programmability and centralized management -- it also includes some vestiges of the more traditional model, such as proprietary hardware.

While ACI supported both physical and virtual endpoints, the new release extends that support to Docker containers, yet another burgeoning technology taking the networking and virtualization industries by storm. Linux-based Docker containers wrap up an application with all the supporting resources and dependencies it needs to run consistently in any environment, such as code, runtime, system tools, software libraries and more. Coincidentally, the Docker platform recently received management and security upgrades of its own.

Cisco's Docker container endpoint support comes via integration of its Cisco Application Policy Infrastructure Controller (APIC) and Project Contiv, an open source initiative that facilitates container-based application deployment by defining infrastructure operational policies.

"This powerful integration is a natural fit with policy and the lifecycle of containers: as containers elastically scale out an application, Cisco ACI seamlessly enables policy and contracts across the whole network fabric to add and remove configuration," Cisco exec Soni Jiandani said in a blog post yesterday. "The policy is enforced on the hardware, and its resources are optimized, matching the container networking lifecycle." The company published a white paper on integrating ACI with Docker containers.

Cisco also touted enhanced security in its ACI update. "Cisco ACI now provides micro-segmentation support for VMware VDS, Microsoft Hyper-V virtual switch, and bare-metal applications, which allows granular endpoint security enforcement," the company said in a statement yesterday. "Customers can dynamically enforce forwarding and security policies and quarantine compromised or rogue end points based on virtual machine attributes (such as Name, Guest OS, VM Identifier) or network attributes (such as IP address.)"

Now, workloads can be isolated within the same policy group, the company said. One benefit of this functionality is the ability for organizations to combat security attacks by preventing threats from moving around laterally within datacenter infrastructure by disabling communication among all the endpoints hosted in the same Web tier, for one example.

Other features of the ACI update include new support for multiple datacenters, increased operational flexibility, more choices for cloud automation tools and more. Jiandani said the upgrade continues the company's focus on three main areas: automation through policy; consistent support for physical, virtual and containers; and open, standards-based, embedded security.

"The future of networking is here," Jiandani said. "We've created an infrastructure that is hypervisor agnostic, with the most advanced security enforcement capabilities on the market today. Manage your entire fabric with a familiar user interface. And manage policy across any endpoint group -- physical, virtual and containers with a consistent security posture."