Your browser failed to load CSS style sheets. Your browser or web proxy might not support elliptic-curve TLS

Building network automation solutions

6 week online course

Start now!
back to overview

Scaling OpenStack Security Groups

Security groups (or Endpoint Groups if you’re a Cisco ACI fan) are a nice traffic policy abstraction: instead of dealing with subnets and ACLs, define groups of hosts and the rules of traffic control between them… and let the orchestration system deal with IP addresses and TCP/UDP port numbers.

However, regardless of the level of abstraction you use, in the end someone needs to compile the security policy into ACLs and download it into the data path (VMware NSX is no exception, as Brad Hedlund explained in the NSX Microsegmentation podcast)… which might result in Cartesian product explosion unless your data path supports groups of L3/L4 objects (object groups in Cisco ASA or ipset in iptables).

Nuage Networks solved the problem with an interesting twist: they use BGP communities to propagate security group membership, and use Open vSwitch extensions to avoid the explosion of OpenFlow ruleset. For more details, watch the Scaling Security Groups video from the Scaling Overlay Virtual Networks webinar.

No comments:

You don't have to log in to post a comment, but please do provide your real name/URL. Anonymous comments might get deleted.

Sidebar