News Stay informed about the latest enterprise technology news and product updates.

Cisco's response to VMware NSX and the future of SDN

We take a deep look at Cisco's response to the VMware NSX network virtualization platform and what it means about the future of SDN.

Cisco System's lack of involvement in VMware's launch of its NSX network virtualization platform was impossible to ignore. VMware's oldest networking partner, Cisco, remained completely silent as its competitors from up and down the network stack happily detailed their NSX integration at VMworld.

Cisco ended its silence on VMware NSX when Chief Technology Officer Padmasree Warrior blogged that Cisco's vision for the future of networking is significantly different from VMware's. The VMware NSX software-only approach to data center networking and network virtualization "doesn't scale and it fails to provide full, real-time visibility of both physical and virtual infrastructure," she wrote.

Some IT pros think Cisco is making legitimate arguments against VMware NSX, but others think the company is staking out ground for the rollout of its Cisco Open Network Environment (ONE) SDN vision and whatever products it eventually launches from its subsidiary Insieme Networks.

Virtual network overlay scalability: Legit problem or trolling?

VMware NSX creates a virtual network overlay that is loosely coupled to the physical network underneath. Cisco and others argue this approach won't scale. In truth, whether software switches and virtual network overlays are enough to handle high-performance environments really depends on the situation.

"I'd venture to say that the majority of virtualized deployments in the world depend on a software switch inside the host. You have to separate software switching into multiple types of uses. The use cases where a simple software switch is performing a fairly basic Layer 2 feature set can do a great job today, and the vSwitches in ESX are a great example of that," said Brad McConnell, principal architect at Rackspace, an early customer of the precursor to NSX, the Nicira Network Virtualization Platform. "There are other use cases -- for example a software switch performing more advanced services in an open source hypervisor -- where people might not find today's performance acceptable for all workloads. There will continue to be significant improvements in this area, but for those searching for practically jitter-free, sub-millisecond performance, removing the hypervisor from the network path still makes sense."

At this point, "ASIC-based switches that can natively participate in the overlay" are critical to McConnell. "While the software switches might become serviceable for the hypervisors, you still have aggregation points in the data center where the overlays map back to a physical network to reach a service. In these locations you need tens or hundreds of Gbps of performance and don't want to introduce additional jitter. So it's important to remain aware of where all this overlay traffic might be destined to and have a good platform in mind to serve that workload."

The scalability argument harkens back to arguments over OpenFlow-based SDN, said network engineer and blogger Tom Hollingsworth. Experts have fretted over an OpenFlow controller's ability to jam flow definitions into a switch's content addressable memory (CAM) tables fast enough. The NSX controller still has to program flows for VXLAN tunnel endpoints (VTEPs). VMware said software gets the job done, but networking pros will need to see the product in action before they're completely sold.

"Now [NSX is] using a different model with STT and VXLAN and that scale problem goes away?" Hollingsworth said. "Networking vendors have spent decades teasing CAM and making TCAM [Ternary CAM] work as fast and as good as possible. You can either have lots of CAM tables and run at normal speed, or you can run really fast but not have a lot of entries. How's that going to work now that I don't have a CAM table and all my stuff is done in software?"

Others say it's too early to argue whether VMware NSX can scale since it won't be generally available until next quarter.

"She left [scalability] as a very broad statement," said Nick Buraglio, a lead network engineer at a large Midwestern university. "You can always say it won't scale to 10 billion nodes. What's the scope?"

Data center network engineer and blogger Matt Oswalt is "tired of the PowerPoint arguments."

"No one is using this yet. We're still in the debate phase. To hear scalability arguments in that phase sounds just wrong. Some of the arguments might hold a little bit of truth, but you can't say it doesn't scale when you haven't seen it yet."

Will network engineers be flying blind with NSX?

Warrior's argument that a loosely coupled overlay network lacks visibility resonates more with networking pros than data center specialists. They've been asking about this since Nicira first came out of stealth mode.

"We've been hearing for a long time that the applications need to tell the network what to do, but the network needs to be able to inform the application about what's going on, too," Hollingsworth said. "If applications are just in a black box demanding resources, we're never going to reach a point where we can give and take, in which applications make do with the resources that are available as opposed to the resources it wants."

Network pros have spent whole careers solving the challenge of underlay visibility to fix problems before they happen -- so why believe in decoupling the underlay and overlay networks, Hollingsworth said.

"Now if you decouple that into an overlay and load everything into an invisible infrastructure, you render all my advances moot. [My monitoring tools] see a lot of traffic going back and forth between these hosts, but it could be spanning tree; it could be legitimate traffic; it could be an attack. I won't know."

Gaining full visibility between the physical and virtual infrastructure is critical, and it won't be easy, said Eric Hanselman, research director at New York-based 451 Research.

"Being able to have full, through-stack signaling would be wonderful and amazing, but it raises a level of complexity with the necessary state-keeping that takes complexity to very high levels," Hanselman said.

Yet others say visibility tools will emerge. Basic VXLAN monitoring and reporting tools have already emerged from Riverbed and others are likely to follow suit.

"Most people haven't really dug into the controllers operationally yet, so it's still unicorns," said Rackspace's McConnell. "Debugging is less intuitive than figuring out what's wrong on a traditional hop-by-hop network still. Either time will allow VMware to perfect the platform or it might lead to a more balanced view on who the third party is -- Cisco tapping into virtual concepts or VMware rewriting the network."

Martin Casado, chief networking architect at Palo Alto, Calif.-based VMware and founder of Nicira, said NSX's ability to maintain a view of the global state of the network at the VTEP edge gives the platform a unique ability to extend visibility across the overlay and the physical infrastructure. There is plenty of through-stack visibility today and more to come, he said.

"We're working on the ability to pinpoint a specific link that's dropping packets from the edge," he said. "We'll trace a path through the physical network, find which links it goes across, and if it drops packets at a certain link, we'll tell that to the admin and the admin can decide what to do about it. We'll be able to tell you when [virtual machine] A can't talk to [virtual machine] B, and we'll be able to tell you which link is the problem, even in multi-pathing scenarios."

Will network virtualization and SDN kill the Cisco-VMware partnership?

When VMware bought network virtualization startup Nicira for more than $1.2 billion, many industry observers said the days of VMware and Cisco's cozy relationship were over. Here was VMware, a longtime partner of Cisco, buying a company that appeared to threaten Cisco's high-margin business.

Despite the back-and-forth over network virtualization and SDN, Cisco and VMware remain extremely diplomatic about their relationship, at least publicly. With so many customers in common, the companies have no choice but to remain partners.

"VMware is not trying to replace networking vendors here," said Josh Barron, a systems engineer with a Pacific Northwest systems integrator. "VMware has always just offered tools for people to make things work. [Cisco and VMware] are great partners. They have VCE and Flexpod and Nexus 1000v. Those are powerful stories. NSX doesn't replace that. It's just another tool that people can use or not."

Barron said NSX has the potential, rather, to help the market understand SDN better. Today there is so much SDN washing in the industry and no one seems to agree on the value or the definition of the technology.

"Whether [NSX ultimately] works with OpenFlow or OpenDaylight or something else remains to be seen. But maybe it will be the straw that breaks the camel's back to get people to realize what SDN is; that networking can be policy-driven and that APIs [application programming interfaces] can directly interface networking equipment with the hypervisor."

On the other hand, Cisco is on the verge of bringing several technologies to market that will probably conflict with VMware NSX. Cisco ONE and Insieme are both elements of Cisco's strategy to solve the problems of modern data centers from the network up the stack, while VMware's view is to approach these problems from the software layer down. It appears inevitable that the two companies will smash into each other head on over network virtualization and SDN.

The Cisco-VMware "partnership is still strong, but they are heading in different directions," said 451 Research's Hanselman.

"I see this very much as the making of an Apple versus Microsoft," Buraglio said. "You're going to get your religious zealots who want Cisco-everything and VMware-everything. And they're probably going to come from different departments in the organization, with networking guys going with Cisco and server guys with VMware. I don't know if this has ever happened before at this kind of scale."

Let us know what you think about the story; email: Shamus McGillicuddy, news director.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.