With SDDC (Software Defined Data Center) gaining prominence, network architects, administrators and data-center experts in enterprises around the globe find themselves staring at the inevitable question – should I go for vSphere environment with Cisco Nexus 1000v or VMware’s NSX as the network virtualization solution that facilitates my SDDC? This article (part 2 of 3-part series) compares Cisco Nexus 1000v with VMware NSX from deployment model, components, multi-data-center support and network services perspective. Part 1 compares capabilities supported by Cisco Nexus 1000v and VMware NSX, and Part 3 walks through how to setup a fully functional environment of each on Ravello Networking Smart Labs (powered by nested virtualization and networking overlay).
VMware NSX for vSphere is built on top of vSphere Distributed Switch and cannot be run on top of Cisco Nexus 1000v. If you have vSphere environment already operating with Cisco Nexus 1000v and you are considering a jump to the API driven NSX world, this article will also help you understand the benefits and disadvantages of making that jump.
VMware NSX is an entire suite of network and security services - in-kernel distributed firewalling / routing, load balancing, gateway nodes and redundant clusters, all components can be managed by a GUI platform. Cisco’s Nexus1000v being is an add in module for previous vSphere environments that may be integrated with other Cisco products such as the VSG and vASA.
From a platform to platform comparison, NSX and Cisco ACI are more comparable as they represent a full service suite, all tightly integrated. But if you have a Nexus 1000v deployed in your existing VMware environment, what benefits do you gain from upgrading to the entire NSX suite.
The NSX platform is not a gentle upgrade or something you can deploy in pockets / islands of the network. Planning is essential for an NSX upgrade. The NSX operates as an overlay model so it really is a big bang approach and requires entire team collaboration. While Cisco Nexus 1000K and its supporting products are add on modules and can be gently introduced, NSX requires a green field deployment model. The old and new networks could link, applications with their corresponding services could be migrated overtime. Green fields are less risky but parallel networks come at a cost.
The NSX operates on the VDS and the feature set between the Nexus1K and the VDS are more a less the same. Depending on the release dates, one may outperform the other for a period of time but there is not too much of a difference. Not considering the additional integrated nodes NSX offers ( controller clusters, edge service gateways, cross-vCenter) it has two great new features sets - the distributed in-kernel firewall and distributed in-kernel forwarding.
NSX has Edge router functionality used as various components - VPN & Firewall, Load balancer and support Dynamic routing (BGP and OSPF). The edge distributed router sits in the control plane and communicates to the controller which in turn communicate to the NSX manager. The NSX edge services router sits in the data plane.
The Nexus 1000v has two editions - Standard and Enhanced. The standard edition is free to download with a CCO account and the enhanced edition requires a purchased licence. Enhanced supports additional features such as Cisco Integrated Security Features (ISF): DHCP snooping, IP source guard, and Dynamic ARP Inspection, TrustSec, VSG. Both of these versions share quite a few features and both can be integrated with additional Cisco products.
The following blox display the feature parity (from cisco.com)
|Layer 2 switching features: VLANs, private VLANs, loop prevention, multicast, virtual PortChannel (vPC), Link Aggregation Control Protocol (LACP), access control lists (ACLs), etc.||Cisco Nexus 1000V Essential Edition: No Cost||Cisco Nexus 1000V Advanced Edition (with Cisco VSG)|
|Network management features and interfaces: Cisco Switched Port Analyzer (SPAN), Encapsulated Remote SPAN (ERSPAN), and NetFlow Version 9; VMware vTracker and vCenter Server plug-in; SNMP; RADIUS; etc||Included||Included|
|Advanced features: ACLs, quality of service (QoS), and VXLAN||Included||Included|
|Cisco vPath (for virtual service insertion)||Included||Included|
|Cisco Integrated Security Features (ISF): DHCP snooping, IP source guard, and Dynamic ARP Inspection||Not supported||Included|
|Cisco TrustSec SGA support||Not supported||Included|
|Other virtual services: Cisco ASA 1000V, vWAAS, etc.||Available separately||Available separately|
The mains reasons for upgrading from a vSphere–Cisco Nexus 1000v environment is for architectural and operational benefits. From an operational perspective it may be simpler to have everything under one hood with NSX.
VMware NSX has clearly many additional components and network services than the Nexus 1000v. But if your business and application requirements are met with existing infrastructure based on Cisco 1K (with potentially other virtual services) you may choose to avoid the big-bang upgrade to NSX.
NSX is a complete network and security solution that operates on the VDS. With the release of software version 6.2, NSX supports vSphere 6.0 Cross vCenter NSX. Previously, logical switches, routers, and distributed firewalls had a single vCenter deployment model. But now with 6.2 these services are deployed across multiple vCenters. This enables logical network and security services for a workloads to span multiple vCenters, even physical location. A potential use case for combining multiple physical data centres that have different vCenters. This new design choice by VMware NSX promotes the NSX Everywhere product offering.
NSX enables application and corresponding network / security service to span multiple data centers. All your resources are pooled together, the location of each is abstracted into a software abstraction layer. This offers a new disaster avoidance and disaster recovery model. For traffic steering, previous active - active data center designs might need additional kludges such as LISP, /32 host routing or HSRP localisation. Without proper configuration of these kludges, all east - west traffic could trombone across the DCI link. They all add to network complexity and only really deal with egress traffic. Ingress traffic still needs proper application architecture and DNS load balancing.
NSX is a proper virtualization platform and you don't need to configure extra kludges for multi data center design. It has a local egress optimization feature so traffic exits the correct data centre point and does not need to flow over the delicate DCI link.
Unlike Cisco ACI (comparable to VMware NSX), Cisco Nexus 1000v is not a complete solution for multi data centre support but it has capabilities to link data centre together. Similar to VMware NSX, the Nexus 1000v support VXLAN - MAC over IP technology. VXLAN is used to connect Layer 2 islands over a Layer 3 core so if you have applications that require Layer 2 adjacency in different data centers could you use Nexus 1000v as the DCI mechanism? Technically it's possible. The problem with VXLAN in the past has been its control plane and the initial releases of VXLAN required a multicast enabled core. The latest releases of Nexus 1000v do offer enhancements including Multicast-less mode, Unicast Flood-less mode,VXLAN Trunk Mapping and Multiple MAC Mode. The new modes increase the robustness of VXLAN. However, VXLAN was developed to be used in the cloud to support multi tenancy and this is how it will probably be developed with further releases. By itself, the Nexus 1000v doesn't offer great DCI features and capabilities. It may, however, be used in conjunction with other DCI technologies to become a more reliable DCI design.
A major selling point for NSX is its ability to support VM-NIC firewalls. VMware has a built in distributed firewall feature allowing stateful filtering services to be applied at a VM NIC level. This gives you an optimum way to protect east - west traffic along with a central configuration point. Individual policies do not need to be configured on an individual NIC bases. All the configuration can be done on a GUI and propagated down to the individual VM NIC’s. The entire solution scales horizontally, as you add more compute host you get more VM NIC firewalls. Micro firewalls do not result in traffic tromboning or hairpinning, offering optimum any to any traffic.
By default, the Nexus 1000v does not offer a distributed firewall model but it can be integrated to support the VSG and the vASA. The additional models are supported in Standard and Enterprise. Both of these can then be managed by Cisco Virtual Network Management Center. The VSG is a multi tenant security firewall that implements policies that move with the mobile virtualized workloads. It decouples the control and data plane operations and connects to the Nexus1000v VEM using vPath technology. The VSG uses vpath to steer the traffic. It employs a scalable model, only the initial packet is sent to the VSG, subsequent packets are offloaded to vPath on the VEM.
VMware NSX allows you to decouple networking from the physical assets by leveraging the hypervisor edge - the new access switch. Due to the decoupling of the network functions from hardware also to virtualise those network functions.
The main driver for NSX is that its network virtualization approach is API driven. Network virtualization provides the abstraction from the physical assets and all this is API driven. Yes, you can automate using some sort of CLI wrapper but that approach just doesn't scale. Most CLI wrapping approaches fail as soon as it comes to looking at the entire lifecycle of a component, not only the creation. It is also possible to automate creation of an asset by writing different CLI scripts for certain actions. But what about advanced features – such as querying status and capacity, free resources, or removing assets? This would bring in a lot of operational complexity of what you need to do in a script. An API solution is far more superior and easy to manage than a CLI switch which is hidden behind an orchestrator.
|Capability||VMware NSX||Nexus 1000K & vSphere|
|Multi Data Center||Built in with local ingress support and promoted with NSX everywhere.||Not a true DCI product but technical capable with additional technologies|
|Service Chaining||Built in service chaining||Service chaining with vPath|
|Distributed Firewall||Built in distributed firewall. VM-NIC||Add on modules|
|Edge Service Gateway||Built in||Potential Edge services with add on modules|
|Virtual Private Networks||SSL, IPSEC, L2 VPN||Potentially with add on modules|
|End to end activity Monitoring||Traceflow||N/A but has NetFlow, SPAN, and Encapsulated Remote SPAN|
|Services - DHCP & DNS||Yes||Yes|
|API driven||Yes, full API solution||Orchestrated/td>|
So should you switch to VMware NSX from Cisco Nexus 1000v for your SDDC? The answer is - it depends. If your existing business and technical requirements are already being met and you don’t want to take a big-bang approach to change everything – Cisco Nexus 1000v is the way to go. If you are looking for a greenfield approach to build your SDDC with strong out-of-box integration with existing VMware resources – NSX will help you get there quicker.
Interested in trying out both Cisco and VMware solutions to get a feel for which one is right for you? Just open a Ravello trial account, and reach out to Ravello. They can help you run the Cisco Nexus 1000v and VMware NSX solutions showcased here with one click.