Is there any point – vCNS vs NSX-v

On a recent VMware NSX ICM course   an attendee asked “With NSX being released, is there any point reviewing and learning vCNS?”.  I  have been asked this a few times , so thought it would make a good summary post :>

Similar to NSX vCNS is a toolkit that enables the vAdmin  with the ability to incorporate extensive network and security features within the virtualisation stack.   Its not available as a separate SKU (any more)  but is part of vCloud Suite.  The latest version is inline with vSphere being v5.5.

Personally I would regard the vCNS suite as a useful addition to satisfy requirements and  give users / other IT professionals insight to the vNetwork.      While it  is a stepping stone to NSX.  vCNS allows  a vAdmin to take  substantially more control of the network and security space  compared to dVS alone and impact provisioning times while maintaining the consistency that comes with some automation  (templates, vApps etc) without going fully into SDDC.

In a recent design I have been working on , I recommended  vCloud suite for network zoning,  data security and aiding cloud bursting requirements.  The company at has no SDDC requirement at present,  but when implemented correctly the vCNS can be a precursor with an upgrade path for internal IT road-mapping if SDDC was needed at a later date (licence wise add ons can be purchased).

The ability to use load balancing, high security zones and a variety of network tools within the vSphere platform while keeping the physical network  static proves useful for overall operational management, and a potentially more flexible cluster design (ie larger heterogeneous workload cluster -DMZ , Test, and production workloads running  logically separated) without going fully SDDC or NV route.   vCloud suite  can also prove quite cost effective when DR requirements justify the use of SRM alongside the networking and security aspects.

vCNS vs NSX High Level Functionality Compared 

Management Appliance – 1:1 with vCenterEasy UI Management Appliance – 1:1 with vCenter, plus full Api
VXLAN Supported using a hypervisor kernal.Requires Multicast VXLAN Supported using a hypervisor kernal.Does not require multicast to be enabled
Edge Service Gateway providingVPN – (site to site / SSL ), NAT, NLB, etcStatic Routing Edge Service Gateway providingVPN – (site to site / SSL ), NAT, NLB, etcStatic and Dynamic routing
Virtual aware firewall (ie resource pool object) Virtual aware Firewall (N/S) and kernal based granular to low level (ie domain users, VM tags – dynamic groups).
 Routing via virtual guest machine device  hypervisor based router
Layer 2 bridging supported to physical
Data security file scanning for keyword formats (ie health numbers, and card numbers)  Data security file scanning for keyword formats (ie health numbers, and card numbers)
vSphere  5.5 dvs features supported vSphere  5.5 dvs features supported


Same but different

From an logical perspective, the vCNS and NSX toolkits  have similarities with virtual appliance based managers which serve as a management / API endpoints and deployment platforms.   Both management platforms have a 1:1 relationship with a vCenter deployment (whiteboards below are from a class rather than visio’d – sorry :> )

vcns_logical NSX_logical

Both vCNS and NSX provide logical networks using hypervisor based VXLAN modules.  Data compliance and A/V policies can be addressed with endpoint hypervisor modules / service 3rd party appliances , and data security functionality,  while micro-segmentation is a distinct NSX advantage within the hypervisor – vShield app can satisfy  a lot of enterprise requirements for internal project walls and potential  vApp, resource pool,  zones requirements (ie non persistent desktops using linked clones to a resource pool with a defined high security  zone)

vCNS has a great track record and is proven technology being part of vCloud for quite some time.  In the past  I have  been part of projects where the Edge device has undergone extensive  penetration  testing and the device has always powered through to production in  a variety of application deployments.

In my opinion by understanding vCNS a VMware admin can start the network virtualisation journey and very quickly understand how the platform evolves into NSX.  It has great ease of deployment and is a standalone management without the need for a cloud management platform (ie vCAC).   The vCNS manager is used to deploy endpoint and solutions such as Trend deep security,  the extra features of vCNS can be quickly learned from this GUI.

Also by understanding and studying for the VCP-NV certification  ,  Skills for vCNS are very quickly transferred.  NSX is the hot and fully functional  platform for this area with vSphere, but for a lot of vAdmins vCNS can be a great starting block or answer  to give businesses confidence in network virtualisation and highlight the benefits.