Many companies won't be able to avoid using both Cisco and VMware SDN software to manage physical and virtual networks in the data center, an expert says.
For many enterprises, Cisco and VMware won't be an either-or choice for software-defined networking. Instead, both vendors will be needed to get the job done.
That was one of many observations of Jason Nash, an IT architect who led an SDN session at the Interop trade show last week. Nash, who works for Chicago-based consulting company AHEAD, said Cisco and VMware would eventually make their SDN software inseparable from their products.
"Whether they're included in your licensing, whether you buy them separately or whether they are just part of the gear, eventually, a lot of us are going to be using both of these [SDN products]," Nash said.
Many joint customers of Cisco and VMware will find it impractical to use just one of the vendor's SDN technologies across a data center, Nash said. He estimated 40% of the functionalities of the two SDN products overlap, which isn't enough for one to fully replace the other.
VMware's SDN software, NSX, works best for managing the network connecting applications on VMware's virtualization platform. Cisco's Application Centric Infrastructure (ACI), on the other hand, is strongest at configuring and provisioning Cisco and third-party network hardware.
How enterprises use SDN
Nash's clients typically have between 500 and 2,000 separate applications in their data centers. How these companies use SDN software is much different than Google, Microsoft and other large Internet companies running tens of thousands of instances of virtualized applications.
Nash's customers use NSX to erect security zones around network segments, workloads or other sets of resources. The technique, called microsegmentation, lets companies set rules for traffic flowing between zones. The rules prevent hackers from spreading malware across data center applications.
Companies use ACI for microsegmentation across network hardware and virtual systems outside of VMware environments. ACI is particularly good at applying policies across physical systems -- whether Cisco switches, Palo Alto Networks' firewalls, IBM servers or F5 Networks' load balancers, Nash said.
SDN software is mostly used for segmentation today because companies are spending more on security than on other network infrastructure, Nash said. "Roughly 80-plus percent of my SDN conversations [with clients] are around some sort of segmentation."
Nash often works with large healthcare organizations buying up physician practices and folding their IT operations into the larger company's data center. Depending on the client's infrastructure, Nash uses ACI, NSX or both to create a temporary segmented network for the acquired practice's applications.
When possible, Nash uses NSX to automate tasks done over and over again, such as creating virtual firewalls, load balancers or virtual private network terminations for people who worked at the acquired firm.
In general, NSX and ACI work equally well, although the latter had "some rough edges" when Cisco introduced it in 2013, Nash said.
"Cisco still can't write a proper user interface to save their lives, but they're getting there," Nash said.
In the meantime, companies evaluating ACI and NSX should judge them against the requirements of a particular project. "It's all about use cases," Nash said. "What you're trying to accomplish."