twixx - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Why Cisco, VMware SDN products don't always play nice together

Companies that want to take full advantage of Cisco ACI should skip VMware's NSX to avoid conflicts between the SDN products.

Cisco's software-defined networking approach is capable of administering policies across switching hardware and data center applications that run on VMware's virtualization platform. But toss VMware's SDN security option into the mix, and Cisco's technology becomes less useful.

Companies that have both vendors' SDN products are careful to use each for separate tasks. Typically, Cisco's SDN technology, called Application Centric Infrastructure (ACI), is limited to applying network policies on hardware switches. VMware's NSX, on the other hand, is mostly used for administering a security mechanism called micro-segmentation within a virtualized environment.

The tradeoff in the above scenario is that a company cannot take full advantage of ACI, which without NSX can create and distribute policies for administering a user's entire data center network infrastructure, including the VMware environment.

The compatibility problem stems from the Cisco and VMware SDN products using different types of VXLAN protocols. VXLAN, or virtual extensible LAN, is an encapsulation protocol used to run a virtual network on top of switching hardware.

Forwarding data from NSX through ACI requires encapsulating the information, which creates encapsulation within the VXLAN encapsulation. While the option works, "it's sub-optimal," said Brian Dooley, a data center architect and ACI expert at reseller and IT services company OneNeck IT Solutions LLC, based in Scottsdale, Ariz.

The better solution for a business that has built its network infrastructure around Cisco and other vendors' hardware is to skip NSX and use ACI for micro-segmentation, as well as for administering all other network policies, experts said.

ACI micro-segmentation delicate in VMware

Companies that embrace Cisco's SDN products for everything will find applying micro-segmentation rules in a VMware environment tricky. That's because ACI enforces micro-segmentation by deploying the Cisco Application Virtual Switch (AVS) on the VMware hypervisor host that provides network services to the vendor's VMs. 

Cisco's AVS, in general, does not work as well in a VMware environment as the vendor's vSphere Distributed Switch (vDS). VDS is the better option for ACI if a company is not using it for micro-segmentation.

Keith Reynolds, the network administrator for the Hutto, Texas, Independent School District, said the consensus among experts is that AVS needs more time to mature.

 "It sounds like Cisco is still kind of fleshing [it] out," Reynolds said. Hutto uses ACI to enforce network policies that govern the 3,000 Chromebooks the district's students and teachers use daily.

Micro-segmentation is growing in popularity as a mechanism for preventing hackers that have compromised one application from sending malware to other software. The approach involves dividing the data center into workloads or applications and then administering policies that restrict communications between those logical units.

Ultimately, a company deciding whether to use ACI, NSX or both SDN products should test the technologies thoroughly in a proof-of-concept lab to determine which is the better fit for the data center, Dooley said.

"I generally lean toward an ACI solution if a customer is looking for that strong networking aspect," he said. "But we do have customers that want to lean in the direction of the virtualized environment."

Next Steps

Choosing between Cisco ACI and VMware NSX

How Cisco ACI outruns VMware NSX

Policy-based security with Cisco ACI

Dig Deeper on Software-defined networking

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

How does your organization use Cisco ACI with VMware products?
It's a bit odd to read in this article that there are "different" vxlan protocols, barring the fact that vmware uses by default a different UDP portnumber, vxlan is just a simple tunneling mechanism (overlay if you want). The control plane is where the diffs are and indeed if you wanted to point out the that sending vxlan traffic across ACI is cause for some "overhead" I could agree to some extend. Juan already accurately pointed the new capabilities of the ACI product out so no need to elaborate there but as an integrator involved with both ACI and NSX implementations, it's fair to say that the gap is closing and your choices will now less depend on micro-segmentation capabilities. alone. The only thing I will say is that "manageability" of micro-segmentation is quite important - especially in somewhat larger environments it's very convenient to get all workload attributes from vCenter and thus far NSX was more efficient due to tight(er) integration. Managing contracts at ACI is not always as straightforward but it's getting much better and integration with partner such as vArmour will facilitate micro-segmentation significantly.  
Thanks for the insightful comments. I need to speak to a lot more users of ACI and NSX to get a fuller understanding of how the technologies work in the same environment.

[disclaimer, I work for Cisco]

thanks for your article. I definitely agree that any customer considering ACI, NSX, both or any other SDN solution should consider a good proof-of-concept lab. And it should be a comprehensive one, not just having one or two servers pinging each other.

That said, there's a couple of things written in the article where I believe you don't have up to date information. ACI does not require AVS to implement Micro Segmentation. With ACI 1.3(1g) or higher this is also available with vSphere VDS. It is also important to notice that Micro Segmentation isn't limited to vSphere, and ACI can do Micro Segmentation using Microsoft's native virtual switch, and also can do it for bare metal servers.

That said, I don't know what lead Hutto to think AVS isn't fully mature. We have a large number of customers using it, and Cisco IT has seen better HA with AVS than VDS. I personally always recommend AVS, but again both options are valid.

Finally, while it is true that customers that use ACI do not really need NSX, if they decide to use NSX anyways for whatever reason they will not be at any disadvantage vs. running NSX over any other fabric solution. Quite the contrary in fact.

thanks again for the article! :)
Disclaimer: I work for Cisco in the INSBU (ACI/N9K). Cisco announced a while back that micro-segmentation capabilities are supported with the vSphere Distributed Switch as well (not just the AVS). Intra-EPG isolation was supported as of ACI 1.2(2) and attribute based EPGs have been supported since 1.3(1) with Nexus 9300-EX hardware. ACI also offers micro-segmentation capabilities for physical end points as well.
VMware NSX distributed firewall and microsegmentation does not use VXLAN at all. In fact one of the key benifits is removing reliance on things like IP address and VLAN for security. I can't understand what the incompatibility is.
Thanks for the comment. The article is two years old so a lot has changed. Based on my reporting, companies using ACI and NSX today in the data center use the former to manage Cisco hardware and the latter for virtualized environments. Initially, companies tried to use one or the other for both tasks and were unsuccessful.