SDN, ACI, and Micro-segmentation, Oh My!


November 29, 2017

Proponents call it the biggest thing to hit the technology world since server virtualization, and they’re not wrong. Software defined networking (SDN) technology and its variants have the potential to drastically impact security, the cloud, and the full breadth of our data centers.

Currently, there are two major players in the SDN space, Cisco Application Centric Infrastructure (ACI) and VMware’s NSX. While they may operate in very different ways, both technologies have overlapping functionality and accomplish roughly the same objective.

Furthermore, both technologies claim to be able to create micro-segmentation, an east-west firewall policy to protect data within the perimeter of the network. Once again, this is accomplished through very different means.

Here, we’ll take a closer look at how these two technologies pull this off in their own unique ways.


What is Software Defined Networking?


To start, software defined networking is the abstraction of the network intelligence from the physical hardware. In much the same way server virtualization frees applications from being shackled to a single server, a software defined network is free to create virtual network paths within the physical fibered network.

This results in a tremendous increase in network flexibility and application performance. A network administrator can quickly provision and reprovision networks with a few clicks and intelligently route traffic to ensure mission-critical applications always have the bandwidth they need.

However, it is important to note that SDN is not a singular product. Rather, it is a methodology, so different products may take different routes to achieving the same goal while still falling under the umbrella of SDN.

VMware’s NSX fits the classic definition perfectly. It is a software overlay that sits atop the network. Regardless of the infrastructure involved, NSX creates a network controller, thereby centralizing the intelligence and enabling a network administrator the freedom promised by a SDN.


VMware NSX vs. Cisco ACI


VMware NSX

VMware uses a software overlay program to create a virtual network. Compatible with any network equipment, NSX extracts the intelligence from the hardware and moves it up the data stack. Networks and subnetworks can be created on a whim and experimented on without impacting the rest of the network. Policies within these virtual networks can give certain applications bandwidth priority over others, thereby making better use of network resources.

VMWare took a similar operational model to virtual compute and applied it to the network. This approach allows for rapid provisioning, snap shots, cloning, deleting and more. Networks are provisioned, disbanded, and managed using a single interface.


Cisco ACI

Cisco took the opposite approach from VMware. Instead of extracting the intelligence from hardware, they made their hardware even more intelligent. Now, the Nexus series, along with the Application Policy Infrastructure Controller (APIC), can create something very similar to the SDN environments created with NSX. The Application Centric Infrastructure, as the name might suggest, brings focus to the applications. As Cisco says, the applications are the point of all this hardware.

Cisco ACI allows a network administrator to create quality of service templates and apply them to individual applications. If a certain application requires top bandwidth priority at all times, such as a voice system, a template can be created ensuring that priority. The same template can then be reused for every other application with the same requirements.

Through this process of automated templating, Cisco ACI creates an environment with the same benefits as a traditional software defined network but with a completely different strategy.


Micro-Segmentation Two Ways


Micro-segmentation itself is an intriguing concept. Traditionally in network security, the firewall will exist at the perimeter of the network to prevent nefarious data and users from gaining entry. Once inside, there are often other security measures in place to identify and destroy intrusions but generally not firewalls. Micro-segmentation promises the ability to create an east-west firewall policy—firewalls inside the firewall. The idea is that once traffic is in, it cannot move laterally through the network and infect, steal, or corrupt other information. VMware’s ebook “Micro-segmentation for Dummies” describes it as being, “like safety deposit boxes in a bank vault protecting the valuables of individual bank customers, even if the safe has been cracked.”


Cisco ACI’s Approach

Cisco’s micro-segmentation strategy is in line with the operating model of ACI. The IT administrator can “classify” end points with a construct known as “End-Point Goup” (EPG). Whether virtual machine or physical servers, these can be grouped and named regardless of their IP address. Once the end points are in their buckets, security and forwarding policies can be dynamically assigned to these groups.


VMware NSX’s Approach

VMware’s micro-segmentation solution works just as simply as ACI. Because the VM and the network are now both virtualized, and virtualized by VMware, administrators can just assign firewall policies per VM by default. If the VM moves, the policy will move with it, and if deleted, the policy is as well. It links the two together through the power of the software overlay layer. It’s all software, and as such, enacting these kinds of policies is not difficult.


Trying to Find the Right Name


Cisco’s Application Centric Infrastructure (ACI) sits in a strange gray area among various defined technological concepts. No one quite knows what to call it. It is most often lumped in with software defined networking technologies like VMware’s NSX, but that’s not an easy fit. The two technologies may accomplish many of the same goals, but they both have radically different approaches to the same problem.

Without an easy and clear term to refer to Cisco ACI, there has been a lot of confusion as to what it is, what it does, and how it really works.

The truth is, it’s all about semantics.

ACI both is and isn’t software defined networking. It yields similar results and has overlapping functionality with VMware NSX, but those results are not derived by applying an overlay software. A Cisco ACI network is by no means software defined. We just lack the appropriate terminology or really a dire need to distinguish it.

At the end of the day, the semantics do not matter. What matters are the results it can provide for the business.


The Network. Intuitive.


The world of Cisco networking technology is rapidly changing. In the summer of 2017, Cisco announced their new Network. Intuitive campaign which encompasses many of their existing networking technologies along with a collection of new innovations.

Learn more about how ACI fits into the Network Intuitive in our blog post, “Cisco ACI vs DNA. What’s the Difference?”

Contact us today to discuss Cisco ACI and micro-segmentation.

Like what you read? 


About Mindsight

Mindsight, a Chicago IT services provider, is an extension of your team. Our culture is built on transparency and trust, and our team is made up of extraordinary people – the kinds of people you would hire. We have one of the largest expert-level engineering teams delivering the full spectrum of IT services and solutions, from cloud to infrastructure, collaboration to contact center. Our highly-certified engineers and process-oriented excellence have certainly been key to our success. But what really sets us apart is our straightforward and honest approach to every conversation, whether it is for an emerging business or global enterprise. Our customers rely on our thought leadership, responsiveness, and dedication to solving their toughest technology challenges.

Contact us at

For Further Reading:

Using Cisco ACI and VMware NSX Together

Related Articles

View All Blog Posts

Contact Us
close slider


Fill out the form below to get the answers you need from one of Mindsight's experts.

hbspt.forms.create({ portalId: "99242", formId: "dfd06c5c-0392-4cbf-b2cb-d7fb4e636b7f" });