On a recent VMware NSX ICM course an attendee asked “With NSX being released, is there any point reviewing and learning vCNS?”. I have been asked this a few times , so thought it would make a good summary post :>
Similar to NSX vCNS is a toolkit that enables the vAdmin with the ability to incorporate extensive network and security features within the virtualisation stack. Its not available as a separate SKU (any more) but is part of vCloud Suite. The latest version is inline with vSphere being v5.5.
Personally I would regard the vCNS suite as a useful addition to satisfy requirements and give users / other IT professionals insight to the vNetwork. While it is a stepping stone to NSX. vCNS allows a vAdmin to take substantially more control of the network and security space compared to dVS alone and impact provisioning times while maintaining the consistency that comes with some automation (templates, vApps etc) without going fully into SDDC.
In a recent design I have been working on , I recommended vCloud suite for network zoning, data security and aiding cloud bursting requirements. The company at has no SDDC requirement at present, but when implemented correctly the vCNS can be a precursor with an upgrade path for internal IT road-mapping if SDDC was needed at a later date (licence wise add ons can be purchased).
The ability to use load balancing, high security zones and a variety of network tools within the vSphere platform while keeping the physical network static proves useful for overall operational management, and a potentially more flexible cluster design (ie larger heterogeneous workload cluster -DMZ , Test, and production workloads running logically separated) without going fully SDDC or NV route. vCloud suite can also prove quite cost effective when DR requirements justify the use of SRM alongside the networking and security aspects.
vCNS vs NSX High Level Functionality Compared
| vCNS | NSX |
| Management Appliance – 1:1 with vCenterEasy UI | Management Appliance – 1:1 with vCenter, plus full Api |
| VXLAN Supported using a hypervisor kernal.Requires Multicast | VXLAN Supported using a hypervisor kernal.Does not require multicast to be enabled |
| Edge Service Gateway providingVPN – (site to site / SSL ), NAT, NLB, etcStatic Routing | Edge Service Gateway providingVPN – (site to site / SSL ), NAT, NLB, etcStatic and Dynamic routing |
| Virtual aware firewall (ie resource pool object) | Virtual aware Firewall (N/S) and kernal based granular to low level (ie domain users, VM tags – dynamic groups). |
| Routing via virtual guest machine device | hypervisor based router |
| Layer 2 bridging supported to physical | |
| Data security file scanning for keyword formats (ie health numbers, and card numbers) | Data security file scanning for keyword formats (ie health numbers, and card numbers) |
| vSphere 5.5 dvs features supported | vSphere 5.5 dvs features supported |
Same but different
From an logical perspective, the vCNS and NSX toolkits have similarities with virtual appliance based managers which serve as a management / API endpoints and deployment platforms. Both management platforms have a 1:1 relationship with a vCenter deployment (whiteboards below are from a class rather than visio’d – sorry :> )
 |
 |
| vCNS | NSX |
Both vCNS and NSX provide logical networks using hypervisor based VXLAN modules. Data compliance and A/V policies can be addressed with endpoint hypervisor modules / service 3rd party appliances , and data security functionality, while micro-segmentation is a distinct NSX advantage within the hypervisor – vShield app can satisfy a lot of enterprise requirements for internal project walls and potential vApp, resource pool, zones requirements (ie non persistent desktops using linked clones to a resource pool with a defined high security zone)
vCNS has a great track record and is proven technology being part of vCloud for quite some time. In the past I have been part of projects where the Edge device has undergone extensive penetration testing and the device has always powered through to production in a variety of application deployments.
In my opinion by understanding vCNS a VMware admin can start the network virtualisation journey and very quickly understand how the platform evolves into NSX. It has great ease of deployment and is a standalone management without the need for a cloud management platform (ie vCAC). The vCNS manager is used to deploy endpoint and solutions such as Trend deep security, the extra features of vCNS can be quickly learned from this GUI.
Also by understanding and studying for the VCP-NV certification , Skills for vCNS are very quickly transferred. NSX is the hot and fully functional platform for this area with vSphere, but for a lot of vAdmins vCNS can be a great starting block or answer to give businesses confidence in network virtualisation and highlight the benefits.