twixx - Fotolia

News Stay informed about the latest enterprise technology news and product updates.

Why Cisco, VMware SDN products don't always play nice together

Companies that want to take full advantage of Cisco ACI should skip VMware's NSX to avoid conflicts between the SDN products.

Cisco's software-defined networking approach is capable of administering policies across switching hardware and data center applications that run on VMware's virtualization platform. But toss VMware's SDN security option into the mix, and Cisco's technology becomes less useful.

Companies that have both vendors' SDN products are careful to use each for separate tasks. Typically, Cisco's SDN technology, called Application Centric Infrastructure (ACI), is limited to applying network policies on hardware switches. VMware's NSX, on the other hand, is mostly used for administering a security mechanism called micro-segmentation within a virtualized environment.

The tradeoff in the above scenario is that a company cannot take full advantage of ACI, which without NSX can create and distribute policies for administering a user's entire data center network infrastructure, including the VMware environment.

The compatibility problem stems from the Cisco and VMware SDN products using different types of VXLAN protocols. VXLAN, or virtual extensible LAN, is an encapsulation protocol used to run a virtual network on top of switching hardware.

Forwarding data from NSX through ACI requires encapsulating the information, which creates encapsulation within the VXLAN encapsulation. While the option works, "it's sub-optimal," said Brian Dooley, a data center architect and ACI expert at reseller and IT services company OneNeck IT Solutions LLC, based in Scottsdale, Ariz.

The better solution for a business that has built its network infrastructure around Cisco and other vendors' hardware is to skip NSX and use ACI for micro-segmentation, as well as for administering all other network policies, experts said.

ACI micro-segmentation delicate in VMware

Companies that embrace Cisco's SDN products for everything will find applying micro-segmentation rules in a VMware environment tricky. That's because ACI enforces micro-segmentation by deploying the Cisco Application Virtual Switch (AVS) on the VMware hypervisor host that provides network services to the vendor's VMs. 

Cisco's AVS, in general, does not work as well in a VMware environment as the vendor's vSphere Distributed Switch (vDS). VDS is the better option for ACI if a company is not using it for micro-segmentation.

Keith Reynolds, the network administrator for the Hutto, Texas, Independent School District, said the consensus among experts is that AVS needs more time to mature.

 "It sounds like Cisco is still kind of fleshing [it] out," Reynolds said. Hutto uses ACI to enforce network policies that govern the 3,000 Chromebooks the district's students and teachers use daily.

Micro-segmentation is growing in popularity as a mechanism for preventing hackers that have compromised one application from sending malware to other software. The approach involves dividing the data center into workloads or applications and then administering policies that restrict communications between those logical units.

Ultimately, a company deciding whether to use ACI, NSX or both SDN products should test the technologies thoroughly in a proof-of-concept lab to determine which is the better fit for the data center, Dooley said.

"I generally lean toward an ACI solution if a customer is looking for that strong networking aspect," he said. "But we do have customers that want to lean in the direction of the virtualized environment."

Next Steps

Choosing between Cisco ACI and VMware NSX

How Cisco ACI outruns VMware NSX

Policy-based security with Cisco ACI

Dig Deeper on Software-defined networking