Software Defined Networking (SDN) - Comparing Cisco ACI with VMware NSX


Taimoor Malik, Manager, Management
Consulting, Technology Infrastructure, KPMG

Key terms

1.Software Defined Networking (SDN) refers to the ability to create, modify and update networks solely through the software when physical infrastructure has already been in place. SDN disassociates network configuration from underlying physical devices. These underlying devices are mostly switches, routers, firewalls, VPN concentrators and load balancers. The concept is similar to virtual machines in which VMs are independent of underlying physical hosts in which provide physical memory and CPU.

2.SDN Controller Software defined networking (SDN) products, usually referred to as SDN controllers are software that aim to control all aspects of networking through a central dashboard (controller dashboard). Almost all major networking vendors offer an SDN controller. Here is a link to list of SDN controllers and their comparison.

3.Network Function Virtualization (NFV) is simply virtualization of different aspects of networks. Typically routing, switching, firewall and load balancing functions are carried out by dedicated appliances. These appliances could be from a variety of vendors such as Cisco, HP, Juniper, F5, CheckPoint or Fortinet and come with pre-installed software that allows these devices to be managed through central controller. The controller uses standard APIs to connect to these devices. Making these network functions available through a software which is not dependent on underlying hardware or hardware vendor is network function virtualization.

4.Micro-segmentation refers to applying traffic management policies (such as security, Quality of Services, forwarding) on a per operating system/virtual machine level as opposed to applying these policies per subnet/network, switch or physical port level.

5.Application Programming Interface (API) can be though of hooks or interface in a software through which information can be provided or collected from a software. Network device vendors provide standard APIs in their software (for example a router running a Cisco IOS) that allow controllers to connect to and control those devices. OpenFlow (OF) is one of the communication standards that define how virtual network controller can interact with a specific network device. Here is more information on OpenFlow and how it relates to SDN.

Comparing Cisco & VMware SDN offering

4Cisco and VMware are two major players in SDN arena with both having SDN offerings that meet a variety of today's evolving network needs. Cisco is number 1 player in networking physical hardware devices such as routers and switches, whereas VMware is dominant player in virtual environments leading with its flagship ESXi hypervisor and now well extended into software network environments. Let's have a look to see what are these products/technologies, how they are similar to each other and how they differ.


Cisco is an established player in technology hardware space with market leadership in Routing, Switching, Wireless, Unified Communications and x86 blade server. Traditionally Cisco's focus had been on hardware platform innovation and development. However, with recent industry trends and to create further value for its customers, Cisco has been focusing on software development.

Cisco ACI

Current architecture in today's datacenter networks is core aggregation and access layer. The traffic in current architecture routes through the core of the network to reach different network segments. This can result in multiple hops before traffic reaches its final destination. Additional, all vlans and associated subnets are usually not available in all parts of the network.

ACI leverages spine leaf architecture. In this approach network devices take the role of either a spine or leaf. All end points such as servers are connected to leave's only. All traffic flows from leave to spine to leaf. This spine-leaf architecture can be referred to as network fabric. Once all hardware connectivity is established then the fabric can be controlled by an application policy infrastructure controller or APIC. APIC is really a piece of software that talks to the fabric (physical switches) and is used to configure the fabric from one central location as opposed to logging in to each device and configuring it.

Additionally Cisco application policy infrastructure controller (APIC) provides application centric view through dashboards that provide current health state of an application as opposed to physical infrastructure health. An application can be defined as a group of servers along with the security, bandwidth and quality of services (QoS). The dashboards available within the APIC interface shows an aggregate picture of how each of the underlying pieces of application are performing by collecting information from each component that makes up the application. If a user complains that their response time is slow, APIC can not only confirm that the response time is indeed slow but also point out that the database server in the backend is saturated or the network port connected to database server is congested.


VMware is dominant player for virtualization of typical servers (x86 platform) allowing multiple virtual operating systems to be installed on one physical x86 based machine/PC/server. Today VMware controls majority of market share for virtualized platforms. Transition into networking space is a natural expansion for VMware.

NSX is VMware's software defined networking (SDN) controller. VMware entry into networking space came from the virtual switch that would connect virtual network interfaces on virtual machines. Outside interfaces of this virtual switch were real hardware interfaces with cables connecting as an uplink to physical switches. Earlier version of vSwitch had basic layer 2 network connectivity and lacked features such as QoS, port mirroring etc. Additionally, the switch was limited to only a specific host on which it resided. Over time VMware added functionality to the virtual switch so it more closely match with actual switch. Additionally, they extended original standard switch into a distribute switch so virtual machines on different hosts can connect to same switch. Cisco responded with it's Nexus 1000v switch that was a virtual switch installed as a software on ESXi host machines.

Extending into Layer 3 and beyond

VMware developed it's networking offerings further to include layer 3 routing functionality using Distributed Logical Routers (DLR). DLRs are software routers that operate at IP layer and are used to route traffic east-west i.e. within different subnets in the datacenter. To get traffic out of datacenter or to WAN, VMware NSX is offering Edge Services Gateway (ESG). ESG also offers additional services such as routing at the edge of software, redistribution, load balancing, L2/L3 VPN and DHCP/DNS relays and is used to connect at the boundary of physical vs. virtual network.

Underlying mechanism - Virtual Extensible LAN (VXLAN)

Virtual Extensible LANs (VXLANs) are the underlying mechanism for both Cisco ACI and VMware NSX to make particular VLANs/subnets available throughout the network. This allows for a virtual machine to be moved from one host to another host with the new host being on a different part of the network or subnet and still be able to communicate. Without VXLANs moved virtual machine cannot communicate using its IP address since it’s at a different subnet.

VXLANs is a Layer 2 overlay scheme over a Layer 3 network and it uses MAC Address-in-User Datagram Protocol (MAC-in-UDP) encapsulation to provide a means to extend Layer 2 segments across the data center network. Leveraging VXLAN by ACI or NSX simply means that original Layer 2 frame has a VXLAN header added. This modified frame is then placed in a UDP-IP packet. After this normal network transport takes places which means encapsulating UDP (Layer 4) with IP (Layer 3) and then IP (Layer 3) with MAC (Layer 2). From a transport perspective, the difference is that we are transporting a UDP packet now. With this MAC-in-UDP encapsulation, VXLAN tunnels Layer 2 network over Layer 3 network.


Since VMware NSX has ultimate final connection using virtual switches to virtual machines, it have the ability to implement security and QoS policies that are relevant to each machine individually as opposed to perimeter network firewalls that protect overall network. Operating systems running on virtual machines such as windows or Linux have their own built in firewalls that have been available for many years. With VMware NSX firewall, administration and monitoring of these policies are much more smoother and they can be managed from one central location. The firewall features that are available with VMware NSX are L2-L4 protection and it lacks advanced full blown next generation firewall features such as protection up to L7 and intrusion protection and detection (IPS/IDP)

Cisco ACI uses an application-aware construct called End-Point Group (EPG) that allows to define the group of endpoints that belong to a specific EPG. End point groups are independent of their IP addresses or subnets and can be physical server or a virtual machine. Security, QoS and forwarding policies are then applied to these end point groups. This approach allows for granular control on traffic flow from each machine.

Differences between Cisco ACI and VMware NSX

Cisco Application Centric Infrastructure (ACI) is a totally new spine-leaf architecture. It is an improvement on existing traditional network architectures. VMware NSX on the other hand use existing underlying networking architecture, which in most cases has been already setup and functioning, and uses an overlay technology (VXLAN) so that networking decisions can be made independent of underlying connectivity.

Cisco ACI requires specialized hardware (Nexus 9k series switches) whereas VMware NSX is a software that uses existing network topologies.

Subscribe to Industry Era