When Cisco and VMware started shipping software defined networking (SDN) platforms, the obvious thinking was that you would choose one or the other. If you chose VMware NSX, you would go down the software-only overlay path using your existing data center fabric or perhaps a third-party fabric infrastructure. If you chose Cisco’s Application Centric Infrastructure (ACI), you were choosing to forklift your existing fabric and adopt Cisco’s hybrid software and hardware approach to SDN.
However, as both NSX and ACI matured, it's become clear that each has advantages that can be better leveraged together, and disadvantages that can be mitigated if they are deployed together.
VMware NSX
With NSX, you get a well-integrated software overlay that supports existing VMware environments almost seamlessly. This integration allows NSX to act like a "network hypervisor" providing a single virtual router, switch, firewall, and load balancer, distributed across every VMware host device in the data center. This creates, among other things, an environment that supports high-bandwidth transport within VMware hosts, as well as easy microsegmentation between guest operating systems.
Additionally, VMware has built a rich ecosystem of partners, such as Palo Alto Networks, which provide security services that are closely tied to the VMware kernel. Because the application-centric policy model in ACI can be more complex to implement than NSX, the partnerships forged by VMware give companies the ability to more easily integrate and implement NSX.
However, VMware NSX does have one limitation: It is a software-only solution, and a robust physical underlay is still required. That is, while you can install NSX on any network, a poorly designed network will result in a poorly functioning VMware NSX overlay.
For example, traditional core, distribution, and access networks are excellent for data-center designs that predominately consist of north/south traffic -- traffic flows in and out of the data center, but very rarely between servers. However, many modern data center applications require significantly more east/west traffic flows, meaning most traffic flows are between servers. This means that without a physical network that supports high performance east/west traffic flows, VMware NSX traffic would follow the north/south physical paths, possibly resulting in sub-optimal performance. This is where ACI can help enhance NSX.
Cisco ACI
Cisco’s approach to SDN is to focus on the fusion of hardware and software services. Along with traditional SDN software offerings, Cisco ACI provides a robust physical underlay. When used in conjunction with NSX, ACI has several benefits.
First, spine-and-leaf physical architectures are ideal for east/west traffic flows and ACI provides automatic fabric discovery and deployment. As a result, once the fabric switches are installed and cabled, the spine-and-leaf fabric is automatically discovered and built. This simplifies the process of deploying spine-and-leaf fabrics for SDN, and eliminates many of the complexities involved with Layer 3 design and scaling that are inherent to many spine-and-leaf architectures.
Second, ACI provides real-time visibility into physical network functionality. This enhances NSX by giving network and application engineers deeper visibility into actual packet flow rather than only seeing packet flow within the software overlay.
Finally, ACI provides for a process called encapsulation normalization. This means regardless of encapsulation type -- VXLAN, NVGRE or 802.1q -- the ACI fabric will map traffic types on packet ingress into the native ACI VXLAN fabric. If your business requires integration of non-VMware hosts or physical servers, the Cisco ACI fabric will be able to normalize these packets and forward them without performance penalty.
When considering a SDN solution, it is important to consider not only your software overlay, but also your hardware underlay. For customers looking to leverage seamless integration to their VMware-based data center designs, without the complexity of developing full application-centric designs, NSX is a natural choice. ACI is well suited for customers that want a robust network underlay and highly targeted application-centric design.
However, for the many organizations looking for an easy-to-implement software overlay and a very robust hardware underlay, NSX on ACI will give you the best of both worlds -- something that's very rare in the information technology world.
Michael Edwards is a Principal Architect in Professional Services at GTRI.