Could the Next SDN Battleground be the Branch?

It’s hard not to see the VMworld show as anything other than a VMware-versus-Cisco extravaganza, partly of course because that’s how it tends to be portrayed in coverage.  Underneath, there is surely good reason to see the networking developments in particular as being contra-Cisco, but I wonder whether there’s more to it.  Cisco might be collateral damage here, not the target of VMware’s positioning.  In fact, some of VMware’s allies may be as much at risk as their enemies.

Years ago, when talking about the Cisco-Juniper rivalry (the vogue at the time, now old news given Juniper’s decline in influence) I noted that all of the tea leaves were aligning to predict a data-center-driven future.  That meant that whoever could take a decisive position there would have unusually strong influence over buyers.  At the time, servers were the markers for data center market participation and Cisco was getting into them with UCS.  Juniper, I said, had to get going to make the network the driver.

Today it’s a bit different.  There’s also been a decades-long rivalry between networking and IT to define the critical boundary between the two as we move into a future where everything seems to be cloud-based.  VMware is IT, and Cisco is networking.  But VMware doesn’t have servers, so they face a challenge similar to that of Juniper in the past—how do you be a driver of the data center without servers?  The answer, obviously, is software.  Data center software, built around virtualization, has given VMware a seat at the strategic table.

Whose seat did they take?  Or seats.  The thing about VMware’s data center software positioning is that it’s necessarily hardware-commoditizing.  If you don’t make servers you hardly want to picture them as the center of the IT universe.  What you try to do is to make the features of the data center of the future hardware-agnostic so you can sell onto any convenient platform.  Virtualization happens to be the perfect path toward that goal since it creates virtual servers.  The natural strategy of VMware is the right one, which is a very lucky situation to be in these days.

One of the vulnerabilities of VMware is still that IT/network boundary.  Juniper didn’t seize the initiative years ago, but neither did Cisco.  For an IT player like VMware, the obvious strategy in networking is to follow the same virtualization-driven-and-hardware-anonymizing approach that works for servers, which is exactly what NSX and EVO: RAIL are doing for them.  Virtualize the network; that’s the solution that software/IT providers have to see as the right one.

Considered in this light, Cisco has the right approach with ACI.  If the border is the war zone, you fight in the border area not down in the interior.  Cisco’s challenge with ACI isn’t that they don’t know the right answer or the right place to apply it, but that they don’t want to see the underlying network anonymized.  Their problem, the failure of ACI in my view, is that Cisco needs to protect network infrastructure from anonymization by providing a better way to implement virtualization at the network level.  I think they intend their policy-by-zone approach to be that, but they’re dragging their feet in getting it out.

VMware’s approach is simple (which is why it’s dangerous).  They’ve started with the simple Nicira overlay SDN model and added a lot of meat to it, with what I think is the ultimate goal of making NSX into the service and application network layer of the future.  They don’t want to build Level 4, they want to build “Level 3a”, to add a layer or sublayer to OSI that replaces current hardware-coupled Level 3 as the basic network service.  This then elevates the application features of networking to the new layer, and that disintermediates the hardware below.  It’s the SDN model I advocated in a previous blog, though it’s not yet complete in that NSX is still locked in the data center.

Network segmentation a la Nicira is valuable for the public cloud because of multi-tenancy.  It’s less valuable for the enterprise because they are only one tenant.  The new NSX enhancements and the EVO: RAIL stuff are obviously aimed at making VMware and NSX more useful to enterprises, but there’s still a missing ingredient.

Enterprise segmentation has to be based on some logical division of network resources, and in the enterprise that division would be by application.  Application-specific networks are great in one sense; they allow you to apply different QoS rules and impose different access rules.  But you have to have access meaning that you have to somehow get the user into the process.  This is where things are harder for VMware and potentially easier for Cisco.  If you can extend your SDN model to the user, you can provide the true overlay network.  If you don’t, then you are still covering just a piece of the proverbial elephant with a skimpy (for the enterprise) blanket.

The problem is that a true end-to-end overlay architecture for SDN could be enormously disruptive to the networking market.  Alcatel-Lucent has a model that’s close to the right thing in Nuage, but their positioning of it suggests either a lack of verve and flair or a subliminal desire to avoid rocking the switch/router boat too much.  IP is a strong spot in their portfolio after all.  So it would still be possible for Cisco to go out and beat the drum, at least in the sense that nobody else is leading the parade.  Does Cisco want to lead here, though?  Probably it’s at least as ambivalent as Alcatel-Lucent may be.

Which takes us back to VMware.  To make their vision the market leader, VMware has to get NSX out of the data center and into the branch.  That means that VMware has to virtualize the branch just as they virtualized the data center.  That means articulating a compelling vision of just what’s out there to be virtualized and how it could be done.  Technically, it means somehow getting a software foot in the door of the branch because you can’t create an overlay network if you can’t place an element of that network where you need to be.  VMware is in the data center; they need to be in the branch too.

And Cisco and other network vendors have to keep them out, the only strategy for which is to get there first with overwhelming force.  So while the data center is the focus of the network in most ways, the branch may be its strategic focus.