Data Center Fabric Controller Comparison: Cisco ACI APIC vs Juniper Apstra vs Arista CloudVision vs HPE Aruba Fabric Composer

Juniper Apstra is the only controller in this comparison designed as a multi-vendor intent engine. Apstra 5.x qualified versions include Juniper QFX (Junos), Cisco Nexus (NX-OS, with TCAM carving prerequisite), Arista EOS 4.28.7.1M, Dell SONiC, and Dell EMC Z9432F-ON. Third-party (non-Juniper) fabrics require the Premium license tier.

Cisco ACI APIC manages only Cisco Nexus 9000 ACI-mode switches.

HPE Aruba Fabric Composer manages only AOS-CX. Arista CloudVision’s full intent and Studios are Arista-native; multi-vendor reach is through CV UNO streaming SNMP and flow data from third-party devices for observability only.

Juniper Apstra ships 3-stage IP Clos, 5-stage Clos, collapsed fabric, and Freeform across licensing tiers per Juniper product documentation. Cisco ACI APIC supports stretched fabric, Multi-Pod (single APIC across pods via MP-BGP EVPN on the IPN), Multi-Site (multiple APIC clusters via Nexus Dashboard Orchestrator), and Remote Leaf.

Arista CloudVision Studios include built-in L3 leaf-spine and EVPN Studios plus user-defined Studios for custom topologies. HPE Aruba Fabric Composer supports EVPN-VXLAN spine-and-leaf, Two-Tier, and multi-fabric EVPN-VXLAN per the HPE Aruba Validated Solution Guides.

Juniper Apstra’s Time Voyager allows versioned rollback to any previous intent state, with continuous validation ensuring deployed state matches intent. Arista CloudVision offers network-wide change control workflows, snapshot-based rollback, and automated upgrades with rollback. Cisco ACI APIC supports configuration snapshots via export / import, plus pre-change analysis through Nexus Dashboard Insights. HPE Aruba Fabric Composer supports versioned config and rollback per switch plus pre-apply validation against the reference model.

Cisco ACI APIC is the most mature — the ACI CNI plugin delivers distributed routing and switching with VXLAN overlays, hardware-accelerated load balancing for external LoadBalancer services, and a per-cluster VMM domain. The ACI CNI is supported on Red Hat OpenShift and vanilla Kubernetes. Juniper’s container networking is handled by Cloud-Native Contrail Networking, a separate product from Apstra.

Arista integrates with Kubernetes observability via CV UNO and offers EOS-native Cluster Load Balancing.

HPE Aruba Fabric Composer surfaces K8s workloads through infrastructure integration packs and provides distributed policy at the VTEP via Pensando DPU on CX 10000.

Arista CloudVision is telemetry-first — TerminAttr streams all EOS operational state over gRPC into the Network Data Lake (NetDL), eliminating SNMP polling. Cisco ACI exposes APIC health scores and fault codes, with streaming telemetry and flow analytics added by Nexus Dashboard Insights (NDI). Juniper Apstra provides intent-time analytics across all tiers, with streaming telemetry and Root-Cause Identification on Advanced and Premium. HPE Aruba Fabric Composer streams real-time telemetry from AOS-CX, with unified data-center + campus visibility through HPE Aruba Central NetConductor.

Cisco ACI APIC runs as a 3-, 5-, or 7-node quorum-based cluster (minimum 3 active) of physical appliances, with Virtual APIC as an option on VMware ESXi. Juniper Apstra runs as a single Apstra server or HA cluster. Arista CloudVision Portal (on-prem) runs single-node or 3-node HA; CVaaS is multi-tenant SaaS without customer-managed clustering. HPE Aruba Fabric Composer installs as self-contained ISO or OVA, single instance or 3-node HA cluster on virtual or physical hosts.

SOC 2 and ISO 27001 are typically controller-plane attestations rather than per-SKU certificates. Cisco’s Trust Portal publishes SOC, FedRAMP, ISO, and C5 attestations across the product portfolio — specific APIC and Nexus Dashboard scope is verifiable there. Juniper publishes compliance via the Pathfinder Compliance Advisor; Apstra-specific certificate coverage should be confirmed with Juniper’s compliance team.

Arista publishes compliance documentation for CloudVision-as-a-Service via its product certifications index — procurement teams should request the CVaaS-specific attestation.

HPE maintains enterprise-scale SOC 2 and ISO 27001 programs; Fabric Composer scope is verifiable through HPE Trust Center. FedRAMP, StateRAMP, and FIPS scopes vary by product and should be verified on a per-controller basis before procurement.

Cisco ACI uses tiered DCN licenses — Essentials, Advantage, Premier. Multi-Site requires Advantage or higher. Subscription (3 / 5 / 7 years) or perpetual (Essentials / Advantage only, not Premier). Juniper Apstra uses a three-tier Flex model — Standard, Advanced, Premium — per managed device, 1 / 3 / 5 / 7 years; non-Juniper fabrics require Premium.

Arista CloudVision is per-device subscription for CVP and CVaaS; CV UNO is a premium CVaaS feature.

HPE Aruba Fabric Composer is an annual per-switch subscription, separate from AOS-CX switch licensing. Procurement teams should request current pricing and the controller’s dependency chain on base switch subscription licenses for total cost comparison.

AI back-end networks are typically non-blocking 1:1 oversubscribed RoCE / InfiniBand fabrics with different operational requirements than general-purpose east-west enterprise DC. For the AI-back-end front-end and storage network, all four controllers manage the EVPN-VXLAN underlay competently. Arista CloudVision is deployed by multiple hyperscalers and AI cloud operators. Juniper Apstra brings vendor-neutral flexibility. See AI-ready infrastructure for platform-specific guidance on GPU cluster fabric design, and the 400G data center leaf comparison for the switch hardware underneath.

Cisco Nexus Dashboard Fabric Controller (NDFC, formerly DCNM) is a multi-fabric / multi-vendor capable controller for standards-based EVPN-VXLAN, classic LAN, and FCoE / SAN fabrics running NX-OS. It manages customer-owned config on standard Nexus 9000 platforms running NX-OS.

ACI APIC manages only Cisco Nexus 9000 switches in ACI-mode (a Cisco-proprietary fabric mode using VXLAN data plane with ACI policy engine). APIC policy uses EPGs (Endpoint Groups), contracts, and application profiles — a declarative model. NDFC and APIC are different architectural approaches — choose based on whether the fabric is ACI-mode (APIC) or NX-OS EVPN-VXLAN (NDFC).

CloudVision Portal (CVP) is Arista’s on-premises deployment — installed on customer hardware (single-node or 3-node HA) as a VM or container. CVP is the right fit for air-gapped environments, sovereignty-controlled deployments, or customers with no cloud egress mandate.

CloudVision-as-a-Service (CVaaS) is the Arista-hosted SaaS deployment with Arista running the operational plane. CV UNO (Universal Network Observability) is a premium CVaaS feature surfacing third-party device data. CVaaS removes the customer-operated controller burden but requires internet egress from the managed fleet. Federal / sovereignty buyers typically land on CVP on-prem.

Juniper Apstra 5.x ships 3-stage IP Clos, 5-stage Clos, collapsed fabric, and Freeform design patterns per Juniper Apstra documentation. The Clos patterns are the standard EVPN-VXLAN spine-leaf templates; Freeform is the unrestricted topology mode for customers with non-Clos requirements.

Apstra is the only controller in this comparison designed ground-up as a multi-vendor intent engine. Qualified NOS targets in Apstra 5.x include Juniper QFX (Junos), Cisco Nexus (NX-OS, with TCAM carving prereq), Arista EOS 4.28.7.1M, Dell SONiC, and Dell EMC Z9432F-ON. Third-party (non-Juniper) fabrics require the Apstra Premium license tier.

NVIDIA Cumulus Linux is the open-Linux NOS running on NVIDIA Spectrum switches and supported third-party silicon. NetQ is NVIDIA’s telemetry and fabric validation tool — it collects Cumulus agents’ data into a time-series database for query and anomaly detection.

NVIDIA Air is the digital-twin sandbox — a cloud-hosted lab that models a Cumulus fabric topology for pre-deployment testing, training, and what-if scenarios. The three are complementary: Cumulus Linux is the NOS, NetQ is the operational plane, Air is the pre-deployment validation lab. For NVIDIA Spectrum-X AI fabrics, all three typically appear together in the operational workflow.

Arista CloudVision Terraform provider (registry.terraform.io/providers/aristanetworks/cvp) has been in active maintenance since 2020, with resources for studios, configlets, device onboarding, and change control workflows. Cisco ACI Terraform provider (ciscodevnet/aci) has strong maturity for EPG, contract, tenant, and application-profile resources.

Cisco NDFC Terraform provider is available and supports fabric deployment, VRF, network, and switch inventory resources. Juniper Apstra Terraform provider (Juniper/apstra) ships comprehensive blueprint, rack, and device lifecycle resources. NVIDIA Cumulus has community Terraform modules via the NetQ API. Ansible module maturity generally matches Terraform maturity across all four ecosystems.

Imperative config directly instructs the device: “configure VLAN 100 on port 1/1/1 as access.” The controller becomes a CLI pusher. Intent-based config declares the desired state: “this rack should be in VRF Red with tenant segmentation” — the controller computes the device-level config needed to achieve that intent.

Intent-based: Juniper Apstra (native intent), Cisco ACI APIC (EPG declarative model), Arista CloudVision Studios (intent studios). Imperative: legacy DCNM / NDFC fabric builder mode, CLI + Ansible playbooks. The operational advantage of intent is drift detection and automatic remediation; the downside is a steeper learning curve for teams accustomed to CLI-centric operations.

Time Voyager rolls back the intent state in the Apstra database and then computes the device-level config delta needed to bring the fabric to that earlier state. Apstra pushes those device-level changes via standard NETCONF / gNMI / CLI — so yes, it rolls back hardware config, not just the database record.

The rollback is not a transactional commit on the switch itself — it is a re-derive + re-push workflow. This is why Apstra’s rollback is slower than a local Junos rollback commit (which commits the last candidate config atomically on a single device). For fabric-wide recovery, Time Voyager’s advantage is the intent model; for per-device fast recovery, native Junos rollback commit is faster.

Cisco ACI APIC supports stretched fabric, Multi-Pod (single APIC cluster across pods via MP-BGP EVPN on the inter-pod network), Multi-Site (multiple APIC clusters via Nexus Dashboard Orchestrator), and Remote Leaf. Cisco NDFC supports Multi-Site Domain (MSD) for stretched EVPN-VXLAN.

Juniper Apstra supports multi-blueprint with inter-fabric peering via DCI. Arista CloudVision supports multi-fabric management natively across a single CVP / CVaaS instance. For federated / multi-cluster scope, architecture differs per vendor — designs with more than 3 geographically distributed fabrics benefit from explicit DCI + BGP EVPN inter-fabric peering regardless of controller choice.

Juniper Apstra computes a delta between intent and live fabric state, simulates the config push, and shows anomalies without applying; Apstra’s staging environment lets operators preview intent-driven changes. Cisco Nexus Dashboard Insights (NDI) pre-change analysis models the impact of a proposed ACI config modification before APIC commits it.

Arista CloudVision Studios compile phase validates the rendered configlet against the fabric schema before any switch config changes. NVIDIA Air provides a full digital-twin sandbox — operators build the proposed change in Air, validate, then promote to production NetQ-managed Cumulus. Cisco NDFC runs fabric-consistency validation but does not offer a full simulation environment natively.

Cisco ACI EPG (Endpoint Group) is a logical grouping of endpoints in an application profile with a policy contract specifying allowed traffic between EPGs. Security is built into the fabric policy plane — EPGs communicate only when a contract exists.

Apstra segmentation uses VRF / virtual-network / security-zone primitives with explicit routing-policy. Cisco NDFC on NX-OS uses standard VRF / VLAN / anycast-gateway constructs plus VXLAN EVPN Type 5 for L3 segmentation. Arista CloudVision uses EVPN VRF + Arista Multi-Domain Segmentation Services (MSS) for tag-based segmentation. The four models differ in abstraction level, not in what traffic ultimately gets allowed or blocked.

Cisco: Ansible (cisco.nxos, cisco.aci, cisco.dcnm collections) is mature; pyATS (Cisco-native test automation framework) is first-class on NX-OS / ACI. Juniper: PyEZ (official Juniper Python library) plus Ansible juniper.device collection for Junos; Apstra Ansible collection for intent-level operations.

Arista: pyeapi (Arista-native Python client) plus Ansible arista.eos collection; extensive EOS SDK. NAPALM (Network Automation and Programmability Abstraction Layer with Multivendor support) covers Cisco NX-OS, Juniper Junos, and Arista EOS as first-class driver targets. NVIDIA Cumulus: Ansible cumulus_linux module plus NetQ CLI automation.

Cisco ACI APIC: security-domain-based RBAC with per-tenant / per-VRF / per-EPG granularity, plus read-only / admin / custom roles. Cisco NDFC: role-based access with fabric / switch / object-level permissions, integrated with LDAP / RADIUS / TACACS+.

Juniper Apstra: resource-level RBAC with per-blueprint, per-rack, per-design permissions. Arista CloudVision: studio-level, configlet-level, and device-level RBAC with SAML / LDAP integration. NVIDIA NetQ: per-role access to fabric views and API endpoints. All four support SAML federation for SSO integration with corporate IdPs.

NetBox (open-source IPAM/DCIM) integrates with all four controllers via the NetBox REST API — most common pattern is NetBox-as-source-of-truth driving fabric controller config via Ansible or Terraform. Nautobot is the Arista-sponsored NetBox fork with a plug-in architecture for direct controller integration (Nautobot plug-ins for Arista CloudVision).

For Cisco ACI + NetBox, the nautobot-plugin-device-onboarding and custom Ansible workflows are common. For Apstra + NetBox, Apstra’s API exports blueprint data consumable by NetBox. Custom CMDB integrations typically use Ansible or Terraform as the pipeline glue between CMDB and fabric controller.

Cisco ACI APIC orchestrates switch firmware upgrades per-maintenance-group with staged rollout; APIC itself upgrades as a controller cluster. Cisco NDFC supports ZTP switch onboarding plus staged image push. Juniper Apstra orchestrates OS upgrades per-rack / per-fabric with pre-change snapshots and rollback hooks.

Arista CloudVision runs automated image compliance, staged upgrade per-device / per-container, with hitless upgrade on supported platforms. NVIDIA NetQ validates post-upgrade state but does not directly orchestrate Cumulus Linux upgrades — that runs via Ansible or per-device apt upgrade with NetQ-validated post-checks.

Cisco ACI APIC: up to 1,200 leaf switches in a single fabric per the APIC scalability guide; 500 tenants, 24,000 EPGs, 500,000 endpoints. Cisco NDFC: up to 1,000 switches per fabric per the NDFC scalability guide. Juniper Apstra: up to 500 devices per blueprint per Apstra 5.x release notes.

Arista CloudVision CVP single instance: 2,500 devices per the Arista CloudVision sizing guide (single-node); higher scale via CVaaS multi-tenant. NVIDIA NetQ: scales horizontally per NetQ deployment architecture. Customers approaching ceilings should engage vendor sizing teams with specific workload data — published ceilings are upper bounds, not operational sweet spots.

Cisco ACI is the most mature — the ACI CNI plugin delivers distributed routing and switching with VXLAN overlays, hardware-accelerated load balancing for external LoadBalancer services, and per-cluster VMM domain. Supported on Red Hat OpenShift and vanilla Kubernetes.

Juniper’s container networking is handled by Cloud-Native Contrail Networking — a separate product from Apstra. Arista integrates with Kubernetes observability via CV UNO and offers EOS-native Cluster Load Balancing. NVIDIA Cumulus pairs with NVIDIA AI Enterprise stack for GPU-cluster networking. HPE Aruba Fabric Composer integrates via infrastructure integration packs and Pensando DPU at the VTEP.

Arista CloudVision Network Data Lake (NetDL) retains multi-year telemetry history at scale, with per-device retention policies configurable by operator; query response times on large fabrics (>500 devices) depend on NetDL hardware sizing — Arista publishes reference sizing for CVP on-prem.

Cisco Nexus Dashboard Insights typically retains 30-90 days of flow data by default with extended retention via tiered storage. Juniper Apstra retains intent-time analytics history per the deployed storage class. NVIDIA NetQ retention defaults are typically 30 days with configurable extensions. At multi-thousand-switch scale, retention planning drives storage sizing more than compute sizing.