I wrote a piece comparing Cisco ACI & VMware NSX for Network World. I hopefully avoided sensationalizing the issues or making NSX/ACI an either/or situation. I tried to simply break down just what the two SDN approaches do and how they might be of value to organizations. Perhaps the biggest point I hope to make in the piece is that ACI and NSX are not easy to compare. They don’t accomplish the same things, nor do they work in identical ways.
Here are a few quotes. Take each one separately; don’t read them as one long statement.
- Multi-hypervisor support is an important part of the NSX strategy, adding, as it does, Citrix Xen and KVM users to the mix. In fact, NSX is agnostic to many environment elements, including network hardware, which is an important attribute.
- Since all the endpoints are known to NSX, there’s no requirement for unknown unicast flooding. Multicast and broadcast packets are copied from hypervisor to hypervisor.
- A distributed firewall is another key part of NSX. In the NSX model, security is done at the network edge in the vSwitch. Policy for this distributed firewall is managed centrally. Conceptually, the NSX distributed firewall is like having many small firewalls, but without the burden of maintaining many small firewall policies.
- With ACI, network virtualization isn’t the whole story. Rather ACI is an entire SDN solution wrapped around the idea that IT applications are the most important thing in an organization. In that sense, it’s difficult to compare NSX and ACI directly.
- The 9000 switches are high-density 10GbE and 40GbE built on the idea of “merchant plus” silicon, as in merchant silicon plus custom Cisco ASICs.
- Cisco says that APIC is open, in that the APIs to access APIC data are to be made available to anyone wishing to write to them. In fact, customers will be able to download “open device packages” that allow network hardware not currently part of an ACI infrastructure to be exposed to APIC.
- A major difference between ACI and NSX is that Cisco is emphasizing hardware in addition to software. Software by itself won’t cut it, in the Cisco point of view.
I’m happy to engage in further discussion about what you think I got right or wrong in my analysis.