Cisco ACI and VMware NSX are the two dominant data center SDN platforms, but they solve fundamentally different problems. ACI is a hardware-integrated fabric that manages both physical and virtual infrastructure through an application-centric policy model. NSX is a hypervisor-based overlay that virtualizes networking entirely in software. In 2026, the landscape has shifted dramatically — Broadcom's acquisition of VMware has disrupted NSX licensing, while ACI continues to deepen its VXLAN EVPN integration.
TL;DR: ACI and NSX aren't really competitors — they operate at different layers and many enterprises run both. But the Broadcom pricing shakeup is pushing organizations to lean harder on their Cisco fabric investment, making ACI architecture skills more valuable than ever.
Architecture: Two Fundamentally Different Approaches
The simplest way to understand the difference: NSX virtualizes the network from the hypervisor up. ACI builds the network from the hardware down.
Cisco ACI Architecture
┌─────────────┐
│ APIC │ ← Centralized policy controller
│ (Cluster) │ Defines tenants, EPGs, contracts
└──────┬──────┘
│ OpFlex
┌────────────┼────────────┐
┌─────┴─────┐ ┌─────┴─────┐
│ Spine │ │ Spine │ ← VXLAN EVPN fabric
│ (N9K-9500)│ │ (N9K-9500)│
└─────┬─────┘ └─────┬─────┘
┌────┼────┐ ┌────┼────┐
┌────┴──┐ ┌┴────┐ ┌────┴──┐ ┌┴────┐
│ Leaf │ │Leaf │ │ Leaf │ │Leaf │ ← Policy enforcement
│(N9K) │ │(N9K) │ │(N9K) │ │(N9K) │ at the switch port
└───┬───┘ └──┬───┘ └───┬───┘ └──┬───┘
│ │ │ │
[Servers] [VMs] [Servers] [Bare Metal]
Key ACI concepts:
- APIC — the brain. 3-node cluster defining all policy.
- Tenants — logical isolation containers (like VRFs on steroids)
- EPGs (Endpoint Groups) — security zones. Endpoints classified by VLAN, IP, or VMM integration
- Contracts — rules governing which EPGs can communicate. Default: deny all between EPGs
- OpFlex — protocol between APIC and leaf switches for policy distribution
ACI runs on Nexus 9000 hardware in ACI mode. The fabric is VXLAN EVPN spine-leaf where APIC overlays its policy model. Physical servers, VMs, containers, and bare-metal nodes all live under the same policy framework.
VMware NSX Architecture
┌─────────────────────────────────────────┐
│ NSX Manager (Cluster) │ ← Management + control plane
└──────────────────┬──────────────────────┘
│
┌──────────────────┼──────────────────────┐
│ Transport Zone (Overlay Network) │
│ │
│ ┌──────────┐ ┌──────────┐ ┌────────┐│
│ │ESXi Host │ │ESXi Host │ │ESXi ││
│ │┌────────┐│ │┌────────┐│ │┌──────┐││
│ ││N-VDS ││ ││N-VDS ││ ││N-VDS │││ ← Distributed virtual switch
│ ││┌──┐┌──┐││ ││┌──┐┌──┐││ ││┌──┐ │││
│ │││VM││VM│││ │││VM││VM│││ │││VM│ │││
│ ││└──┘└──┘││ ││└──┘└──┘││ ││└──┘ │││
│ ││ DFW ││ ││ DFW ││ ││ DFW │││ ← Distributed Firewall
│ │└────────┘│ │└────────┘│ │└──────┘││ in kernel
│ └──────────┘ └──────────┘ └────────┘│
└─────────────────────────────────────────┘
│ │ │
┌────┴───────────────┴──────────────┴────┐
│ Any Physical Network Underlay │ ← Hardware-agnostic
│ (Cisco, Arista, Juniper, anything) │
└────────────────────────────────────────┘
Key NSX concepts:
- NSX Manager — centralized management/control plane (3-node cluster)
- Segments — L2 overlay networks (GENEVE encapsulation, not VXLAN)
- Distributed Firewall (DFW) — stateful firewall in the hypervisor kernel at every VM's vNIC
- Tier-0/Tier-1 Gateways — distributed routing between segments
NSX runs entirely in software on the hypervisor. The physical underlay can be anything.
Head-to-Head Comparison
| Category | Cisco ACI | VMware NSX |
|---|---|---|
| Deployment model | Hardware + software (Nexus 9000 required) | Software-only (any underlay) |
| Controller | APIC (3-node cluster) | NSX Manager (3-node cluster) |
| Encapsulation | VXLAN | GENEVE |
| Policy scope | Physical + virtual + container + bare-metal | Virtual workloads (VMs + containers) |
| Microsegmentation | EPG/ESG contracts at fabric level | Distributed Firewall at hypervisor kernel |
| Multi-site | ACI Multi-Site with VXLAN EVPN BGW | NSX Federation |
| Automation API | REST API + Terraform + Ansible + Python SDK | REST API + Terraform + Ansible + PowerCLI |
| Hypervisor support | VMware, Hyper-V, KVM, bare-metal | VMware vSphere (primary), KVM (limited) |
| Hardware lock-in | Yes (Nexus 9000 only) | No (any physical underlay) |
| Licensing model (2026) | Perpetual + subscription options | Subscription-only (Broadcom bundles) |
Microsegmentation: Different Layers, Different Strengths
This is the most debated topic in ACI vs NSX discussions. Both platforms offer microsegmentation, but they enforce it at different layers.
ACI: Fabric-Level Enforcement
ACI enforces policy at the leaf switch TCAM using Endpoint Security Groups (ESGs) or traditional EPG contracts:
Tenant: Production
├── VRF: Prod-VRF
├── App Profile: ERP-App
│ ├── EPG: Web-Tier (VLAN 100)
│ ├── EPG: App-Tier (VLAN 200)
│ └── EPG: DB-Tier (VLAN 300)
└── Contracts:
├── Web-to-App: permit HTTPS (tcp/443)
├── App-to-DB: permit SQL (tcp/1433)
└── Web-to-DB: implicit deny (no contract)
ACI's strength: physical and virtual endpoints under the same policy.
NSX: Hypervisor-Level Enforcement
NSX's DFW runs in the ESXi kernel, inspecting every packet at the VM's virtual NIC:
NSX Security Policy:
Group: Web-Servers (tag: role=web)
├── Allow: HTTPS from Any
├── Allow: SSH from Jump-Box group
└── Deny: All other inbound
Group: DB-Servers (tag: role=database)
├── Allow: SQL from App-Servers group only
└── Deny: All other
NSX's strength: VM-granular enforcement without touching the physical network.
When Each Wins
| Scenario | Winner | Why |
|---|---|---|
| VM-to-VM security within vSphere | NSX | DFW operates at kernel, follows vMotion |
| Mixed physical + virtual policy | ACI | Unified policy across all endpoint types |
| Zero-trust within a single hypervisor cluster | NSX | Granular per-vNIC enforcement |
| Multi-vendor DC fabric security | NSX | Hardware-agnostic overlay |
| Cisco-only shop with bare-metal + VMs | ACI | Single policy domain for everything |
| Running both together | Both | ACI underlay + NSX overlay is officially supported |
Many enterprises run both. Cisco publishes an official design guide for deploying NSX-T on ACI fabric.
The 2026 Elephant: Broadcom's VMware Acquisition
The biggest change to this comparison in 2026 isn't technical — it's financial.
Broadcom completed its $69B acquisition of VMware in November 2023, and by 2026 the licensing landscape is thoroughly disrupted:
- Perpetual licenses eliminated — all VMware products moved to subscription-only
- Product bundling enforced — NSX is part of VMware Cloud Foundation (VCF), not available standalone for new customers
- Minimum core requirements — 72-core licensing minimum per site
- Price increases of 2–10x reported by many customers
Real consequences:
- Some enterprises are deepening ACI investment instead of renewing NSX
- Others are exploring open-source alternatives like OVN/OVS
- Hybrid environments persist but budget pressure makes "both" harder to justify
- ACI expertise becomes more valuable as organizations reducing NSX scope need stronger ACI policy design
Automation and API Comparison
Both platforms offer robust automation.
ACI Automation (Python SDK)
# ACI Python SDK (Cobra) — create an EPG
from cobra.mit.access import MoDirectory
from cobra.mit.session import LoginSession
from cobra.model.fv import AEPg, RsBd
session = LoginSession("https://apic.lab.local", "admin", "password")
moDir = MoDirectory(session)
moDir.login()
tenantDn = "uni/tn-Production/ap-ERP-App"
epg = AEPg(tenantDn, name="New-Web-Tier")
rsBd = RsBd(epg, tnFvBDName="Web-BD")
moDir.commit(epg)
ACI also supports: Terraform (cisco/aci), Ansible (cisco.aci), REST API, and Cloud Network Controller for AWS/Azure.
NSX Automation (REST API)
# NSX-T REST API — create a segment
import requests
url = "https://nsx-manager.lab.local/policy/api/v1/infra/segments/web-segment"
payload = {
"display_name": "Web-Segment",
"subnets": [{"gateway_address": "10.10.10.1/24"}],
"transport_zone_path": "/infra/sites/default/enforcement-points/default/transport-zones/overlay-tz"
}
response = requests.put(url, json=payload,
auth=("admin", "VMware1!"), verify=False)
NSX supports Terraform (vmware/nsxt), Ansible, and PowerCLI.
Market Reality: Where the Jobs Are (2026)
| Skill | % of DC Engineer Listings | Salary Premium |
|---|---|---|
| Cisco ACI | 65% | +15% over base DC salary |
| VXLAN EVPN | 55% | +12% |
| VMware NSX | 35% | +8% |
| Both ACI + NSX | 20% | +22% |
| Terraform/Ansible for DC | 40% | +18% |
ACI appears in nearly twice as many job listings as NSX. But engineers who know both command the highest premium — a 22% salary bump.
The VXLAN market is projected to grow from $1.6B (2024) to $3.2B by 2029 at 15% CAGR. AI workloads are the primary driver — every new GPU cluster needs VXLAN EVPN fabric.
The Bottom Line
| If you are... | Focus on... | Why |
|---|---|---|
| Working DC engineer | Both | Real-world environments often run both |
| Career switcher into DC | ACI first | More job listings, higher premium |
| Security-focused | NSX DFW + ACI ESG | Microsegmentation is everywhere |
| Automation-focused | ACI APIs + Terraform | Fastest path to high-paying DC roles |
FAQ
What is the main difference between Cisco ACI and VMware NSX?
ACI is hardware-integrated SDN (Nexus 9000 + APIC) managing physical + virtual workloads. NSX is hypervisor-based, hardware-agnostic, running entirely in software.
Can they run together?
Yes. ACI provides the physical fabric underlay; NSX handles hypervisor-level microsegmentation. Cisco publishes an official design guide.
Which is better for microsegmentation?
Different layers. NSX DFW runs in the hypervisor kernel (VM-granular, follows vMotion). ACI EPG/ESG enforces at the fabric switch level (physical + virtual). NSX wins pure VM-to-VM; ACI wins unified policy.
How has Broadcom affected NSX in 2026?
Perpetual licenses gone, NSX bundled into VCF subscription-only, 2–10x price increases reported. Driving enterprises to deepen ACI investment or explore open-source alternatives.
Originally published at firstpasslab.com. For more data center networking deep dives, check us out there.
🤖 AI Disclosure: This article was adapted from the original with AI assistance. All technical content, architecture comparisons, and market data were researched and verified by the FirstPassLab engineering team.
Top comments (0)