The Problem with NSX and ACI

Let’s face it, if there’s even the slightest whiff of someone in a business somewhere mentioning or even thinking about ‘SDN’, Cisco and VMware will be knocking on that door… with a sledge hammer!
The problem is, neither vendor’s product is perfect and as yet, they don’t talk to each other.
NSX doesn’t manage infrastructure. Period.  It has not a care in the world to what is going on with the underlay.  And you might say “Well that’s how it’s designed – to be underlay agnostic”.  My problem with this is; if you’re doing a greenfield DC or refresh, you still have to consider the physical infrastructure. How are you going to manage that infrastructure, monitor it and maintain it. NSX won’t make it go away.  What NSX is good at is the logical stuff – it’s easy to understand the concepts of an edge firewall, distributed firewall, dLR and logical networks. And it’s easy to create the tenant spaces within those constructs.
ACI is infrastructure, it is not virtualisation. The super-cool thing about ACI is just how easy it is to deploy, configure and manage large-scale network infrastructure.  It’s unbelievable how easy it is! Where it fails, not abysmally just badly, is delivery of the infrastructure constructs into the hypervisor space.  Cisco need to create an hypervisor-component capable of everything a physical leaf does – sending traffic up to a physical leaf for processing and then returning it back to the hypervisor is just clumsy. Even worse, assigning VLANs (which we’re trying to get away from the limits of) into port-groups on the VDS and using that for [micro-]EPG separation is clunky.
Are these two competitors? Cisco and VMware believe so, but in reality they are solving different problems, expensively.
What is the answer.. working together.  Which is tricky – NSX has come along way in terms of the VXLAN/Logical Switching/dLR development and of course ACI is doing the same at the physical layer in the leaf(s) (leaves?). I like NSX’s ability to provide a limited set of basic network functions (Edge, SSL/VPN/SLB) in an easy-to-consume way, what I don’t like is it’s total ignorance to physical infrastructure and physical workloads.

NSX Ninja

In the later-half of 2015 I was lucky enough to be invited to the NSX Ninja partner course at VMware in Staines.  This is a course specifically to drive the knowledge-base of partner consultants and architect-types to enable them to seek out and position NSX oppertunities.  With two weeks of training on the agenda and the assumption you’ve already spent some time on either a training course (ICM or Fast Track) and earned the VCP-NV; this course focuses first on low-level troubleshooting components and packet flows, then on the design side with the intention of preparing students for the VCIX-NV.

Read the rest of this entry »