Understanding OpenFlow, VXLAN and Cisco's ACI

Three different approaches dominate today's software-defined networking market. Dan Pitt of the ONF explains the difference between them.

Dan Pitt

April 15, 2015

5 Min Read
Network Computing logo

Efforts to virtualize the network are only a few years old and a number of approaches have emerged, leading to an explosion of terms and acronyms -- and understandable confusion. Three terms relating to network virtualization are getting the most attention: OpenFlow, Virtual eXtensible LAN (VXLAN), and Cisco Application Centric Infrastructure (ACI). While it may seem like comparing apples and oranges, examining the pros and cons of these three approaches is key to understanding the evolving network virtualization market.


OpenFlow is a communications protocol, and foundational element of the software-defined networking (SDN) architecture, which decouples network control and forwarding functions. SDN centralizes network intelligence -- and control -- in software-based controllers that maintain a global view of the network. Currently, OpenFlow is the only open standards-based "southbound" protocol for communicating between an SDN controller and network equipment. It allows for the direct programming of network hardware such as switches and routers, both physical and virtual, making networks more dynamic, manageable, cost-effective and adaptable. 

A key characteristic of OpenFlow is that it uses flows to identify network traffic, based on pre-defined match rules that can be statically or dynamically programmed using the SDN control software. In the simplest of terms, OpenFlow conveys forwarding information from a controller to a collection of switches, telling the switches what to do. In return, the switches provide counters and other data to the controller.

Because it operates on flows, OpenFlow provides IT with extremely granular control, enabling the network to respond to real-time changes at the application, user and session levels. OpenFlow allows IT to define how traffic should flow through network devices based on parameters such as usage patterns, application needs, service-level agreements and cloud resources.


Many customers have an installed base of networking equipment that is not yet OpenFlow-enabled. To bring SDN/network virtualization to these customers, a number of vendors offer what is known as an "overlay" approach, in which a logical network is overlaid onto an existing physical network. By pushing intelligence to the network edge, overlays can provide some SDN-like features and capabilities without requiring upgrades of physical networking equipment.

However, overlays require that packets be encapsulated to cross the network, using external headers that mask what is inside. The encapsulated packets are tunneled through the physical network and, when they reach the final gateway, are unpacked (or decapsulated) and forwarded to the target host.

VXLAN is a popular encapsulation method for overlay networks. It allows network operators to create a Layer 2 network on top of a Layer 3 network. Since VMs can't connect across multiple Layer 2 networks without breaking their links, many view VXLAN as a game-changer.

VMware, Arista, and Cisco created the original VXLAN specification. It is supported in Open vSwitch, and as of version 3.7, Linux also includes VXLAN support.

Despite its pluses, VXLAN has scale and complexity issues, in part because it relies on IP multicast to handle broadcast, unicast and multicast transmissions. In addition, using VXLAN can raise CPU overhead on edge devices due to the packet processing associated with adding and then removing protocol headers.

While VXLAN has garnered considerable attention, the industry is already moving on. VMware, Cisco and their partners are working on new encapsulation protocols, including the Generic Network Virtualization Encapsulation (GENEVE), VXLAN Generic Protocol Extension (GPE), and Network Service Header (NSH), and have proposed protocol drafts for each to the IETF. Encapsulation methods will continue to evolve for the foreseeable future.

Cisco ACI

As its name indicates, Cisco's ACI is a tightly coupled, policy-driven infrastructure solution. Cisco describes ACI as a holistic architecture, enabling network component programmability through centralized automation and dynamic, application-driven network policy models.

ACI consists of multiple Cisco components: Cisco Nexus 9000 Series switches; a centralized policy management controller, the Cisco Application Policy Infrastructure Controller (APIC); and a Cisco Application Virtual Switch (AVS) for the virtual network edge. For communication between the controller and network devices, ACI supports OpFlex and RESTful API for the southbound protocols.

APIC, the Cisco policy controller, acts as a central repository for all policies, and manages and configures the policy on each of the switches in the ACI fabric. ACI also serves as a platform for third-party services such as advanced security, load balancing and monitoring. In addition, Cisco provides northbound APIs on APIC that enable it to integrate with different types of cloud environments.

Currently, APIC can only push policies down to devices running Cisco's AVS, although Cisco is working with open-source Linux vendors like Red Hat and Canonical to distribute an ACI OpFlex agent for Open vSwitch. Cisco is also collaborating with Red Hat to extend the Cisco ACI policy framework to OpenStack environments, specifically the Red Hat Enterprise Linux OpenStack Platform. And several companies (including Canonical, Citrix Systems, Microsoft, and Red Hat) are building OpFlex into their hypervisors and software, while vendors such as Avi Networks and F5 Networks will ship an OpFlex agent with their appliances.

Apples and oranges

In summary, customers can program the network with OpenFlow in much the same way CPUs are programmed. One of the key benefits of OpenFlow is that it allows customers to use any supported switch, even "white box" switches, instead of expensive, specialized hardware. Overlays offer an interim approach, designed so customers can continue to use their installed base of networking equipment while gaining virtualized networking functionality, and rely on encapsulation methods such as VXLAN. Cisco ACI is a full-blown infrastructure offering driven by a policy manager. Unlike SDN, ACI requires intelligent network devices to execute policies.

Need more specifics on virtual networking? Stuart Bailey of the ONF will present Let's Get Together and End Vendor Lock-In at Interop Las Vegas this month. Learn even more in the SDN track and the live workshop, Software-Defined Networking and Network Virtualization. Register now for Interop, flooring April 27 to May 1.

About the Author(s)

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights