• 01/14/2015
    8:00 AM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Your Network's Next Step: Cisco ACI Or VMware NSX

When it comes to SDN, Cisco's Application Centric Infrastructure and VMware's NSX are often discussed interchangeably, but they are really very different. Joe Onisick explains how they compare and can even work together.

Editor's Note: This article is written by Joe Onisick, an engineer at Cisco who helped develop and works closely with ACI technology. While we recognize that the column may have inherent biases, Joe is known as an authority on this subject, and we feel that he addresses points that are important to our readers. Other subject matter experts interested in contributing technical articles may contact the editors.

With the industry buzzing about software-defined networking (SDN), there are two products that often lead the discussion: Cisco's Application Centric Infrastructure (ACI) and VMware's NSX. Many organizations are in the midst of assessing which solution is correct for them and their networks moving forward. In this column we'll take a look at some of the factors that go into deciding which product is appropriate and even when they should be used together.

To get a baseline of both technologies, we'll start with a quick overview of each offering.

VMware NSX
VMware NSX is a hypervisor networking solution designed to manage, automate, and provide basic Layer 4-7 services to virtual machine traffic. NSX is capable of providing switching, routing, and basic load-balancer and firewall services to data moving between virtual machines from within the hypervisor. For non-virtual machine traffic (handled by more than 70% of data center servers), NSX requires traffic to be sent into the virtual environment. While NSX is often classified as an SDN solution, that is really not the case.

SDN is defined as providing the ability to manage the forwarding of frames/packets and apply policy; to perform this at scale in a dynamic fashion; and to be programmed. This means that an SDN solution must be able to forward frames. Because NSX has no hardware switching components, it is not capable of moving frames or packets between hosts, or between virtual machines and other physical resources. In my view, this places VMware NSX into the Network Functions Virtualization (NFV) category. NSX virtualizes switching and routing functions, with basic load-balancer and firewall functions.

Two versions of NSX exist, depending on a customer's infrastructure requirements. There is the more feature-heavy NSX for VMware, which works only with VMware hypervisors and automation tools, or NSX Multi-Hypervisor, which has limited support for some Linux hypervisors, but requires a VMware distribution of OVS that is split off from the open community trunk. According to VMware, NSX-MH is currently being phased out.

NSX's strongest selling point is security isolation within a hypervisor. This falls into the category of "micro-segmentation." NSX is able to deploy routing and basic load-balancing and firewall services between virtual machines on the same hypervisor. Again, this is NFV functionality, not SDN functionality, which would require ability to forward packets between devices.

Cisco ACI
Cisco ACI is designed to look at both the change in hardware requirements and the agility provided by software control of networks as a system, rather than manual configuration of individual devices.

From a hardware perspective, two major changes are driving the need for network refresh:

  1. The move from 1G to 10G is being driven by current processor capabilities and 10G LAN on motherboard (LOM) shipping with new servers. This then drives requirements for 40G/100G ports for traffic aggregation and forwarding distribution across access or leaf layer switches.

  2. Changes in data center traffic patterns are driving the requirement for a shift in network topology design. Modern data centers move the majority of data in an East-West pattern, which means server-to-server communication. Three-tier network architectures are designed for traditional North-South traffic patterns, which supported legacy application architectures.

These changes require physical hardware refresh as well as topology change within the data center, and cannot be solved with software-only solutions. The requirement for these changes is reflected within the best practices guides of even software-only solutions such as VMware NSX. The best practices guides for these products suggest 10G/40G non-blocking, 2-tier, spine-leaf designs. These are the same designs recommended by network vendors such as Cisco and utilized by ACI.


Cisco ACI

I am not much sure about VMware NSX, but yes i need good and structured physical network to construct the static environment, and cisco has proven record on same.

Where's the information?

Reader Daniel Dumitriu posted this comment on Google+. He ran into some technical difficulties when trying to repost his thoughts here, so I pasted them in with his permission: 

I don't have a tenth of Joe's knowledge in networking. I followed your link hoping to satisfy my need to learn more about both NSX and ACI. The article, though, has so little technical details and so much bias... it's not even funny (let alone informative). 

I believe everyone, literally everyone, with a minimal interest in SDN knows more than what's presented there. Not much help in "deciding which product is appropriate and even when they should be used together".

Almost as usual, VMware pretends there's no networking outside the virtual environments and Cisco does not acknowledge that heavy networking may happen on a single host with little or no networking hardware - an extreme proposition, I know. (Although I know for a fact that at least some folks at Cisco started to recognize and address real SDN).

I do have to appreciate that the article does address one very important - at least to me - concern: traffic routing between the virtual and the physical environments. ACI is, indeed, one of the solutions that promote real SDN, with separation between the control and the data "planes". This is a new tendency for most "traditional networking" vendors, and one to be commended.

Also, it is true, VMware-centric solutions cannot pretend NSX is the "be-all, end-all". They do, indeed need some "real network" between ESXi hosts.

So, please take my original comment with a (huge?) grain of salt - I am an OpenStack and Container-azation crusader...


Re: Where's the information?

I totally agree with Daniel's comment (yes, I am having a conversation with myself). We -- the media -- and the vendors need to do a much better job of providing detailed information about SDN platforms to help customers understand them. Whether one is SDN and one is NFV really is irrelevant (and funny, considering that not that long ago Cisco swore ACI was not SDN, but now it is). Users need to know what will solve ther problems in their own environments, beyond using Cisco because they already use Cisco and VMware because they are already a VMware customer. Rght now if they they aren't giving their buddies a big commission, they're taking a big gamble. 

Re: Where's the information?

Susan and Daniel,


You're both absolutely right. The conversation needs to move from this vs. that, to what each has to offer. I know both companies are working hard to deliver more of that message. Every environment has different requirements and customers need to be better armed with what they get, and what the caveats are with any solution. If you have suggestions as to what technical detail would be helpful around ACI, I'm happy to get the ball rolling.


Joe Onisick

Principal Engineer, Cisco ACI

Our analytics helps to optimize security on Cisco ACI and VMware

APPanalyz with the invent of Secure SDN solution supports industrial leading SDN providers Cisco and VMware to help their customers migrate from traditional networks to software defined networks and to optimize the security for the applications hosted on their SDN platforms.

APPanalyz Secure SDN gathers the application traffic flow information between various applications on the network, discovers the required Micro-segments and the servers or virtual machines belonging to those micro-segments and identifies the policies required to secure these micro-segments. It also supports building the micro-segments and enforcing the security policies on Cisco ACI or VMware NSX by generating required configurations.

Click the below link to learn more about APPanalyz Secure SDN