Cisco ACI Review

Integrates with multiple virtual environments, but native support for security is lacking


What is our primary use case?

The primary use case is in an environment where the customer has a very large virtual compute and a lot of physical compute as well - in terms of the number of servers - and a big heterogeneous firewall. They want to converge their racks where they have a physical firewall and a virtual firewall. They have their metal servers and VMware or Hyper-V VMs. This is the best use case. This is where ACI fits best because it can integrate the physical and virtual environments together within a single fabric. It can give a very good overview, an "aerial view" of your whole data center within your fabric. That's the best use case.

How has it helped my organization?

The improvement I have seen after ACI has been implemented is that companies that wanted to implement a service lifecycle of any services, or that wanted to do automation, really improved their deployment times. Once the fabric is up, then they can start doing so. Customers usually get confused and think that if they implement ACI then everything gets automated. No. That's a mistake. With ACI, you have to buy software, an automation orchestration tool like Ansible, UCSD, or vRealize - tools to automate.

The improvement is that when companies buy an automation tool with Cisco ACI, the deployment time, their designs, are really fast. 

Another improvement is that customers say that the performance is really good with their new network.

What is most valuable?

The best part of ACI is that it can integrate with a lot of virtual environments like VMware, Hyper-V, and KVM. That's the best feature that sticks out in my mind because I have worked with customers who were looking into different solutions. The biggest selling point for them, which finalized their choice of ACI, was because it supported both Microsoft and VMware.

What needs improvement?

Better troubleshooting features would be helpful. In ACI, it can be a big mess, a real headache to troubleshoot a single issue. Cisco should work on the troubleshooting part of ACI. The troubleshooting part, and the information that ACI gives you, sometimes don't give you a proper, inside picture of what's going on within the fabric.

We had an issue where the customer was not able to sync with the NTP server and we were not able to identify the problem. The NTP was just not talking to ACI. The troubleshooting part is a bit difficult in ACI, and I feel that it should have been improved a long ago, but I don't know if they're working on it or not.

Also, they have the new designs for Multipod and Multi-Site. There are a lot of good features, like static storage connections. But I have seen some customers that faced issues with connecting the storage to the fabric.

For how long have I used the solution?

Three to five years.

What do I think about the stability of the solution?

The stability is good. Initially, it was not that good, but now it's really good with the new code.

What do I think about the scalability of the solution?

I would give the solution's scalability an eight out of ten. The scalability options are really good. You just connect the leaves to the spine and it comes up. The scalability is not an issue.

The biggest environment I've worked with has two spines, spines with 16 leaves.

In terms of the number of users on it, initially it was really difficult for customers to adopt the new technology because it was a wholly new concept. Now, with time, and as ACI comes out with the new features, and the stability is really strong, the adoption is really good. According to Cisco engineers, they have customers who have gone up to 6,000 users.

Regarding the possibility of our customers' increasing their usage of ACI, we don't see that much indication of it, because what the customers are looking is more along the lines of having their fabric be more redundant. One of the features engineers are looking for is the Endpoint Tracker, which has had some issues. It is not that user-friendly.

How are customer service and technical support?

I love their tech support. I would rate it at eight out of ten. It's really good with ACI. Even non-ACI support is really good. If you open a P1 case, an engineer comes online within ten to 15 minutes and starts doing the debugging and troubleshooting with you. 

I had an issue with their HyperFlex solution where the issue was more an interior design issue, and not a Cisco issue, but the tech came onto the call in 10 minutes and worked with me for six hours, non-stop, to fix the issue. They do it really slowly because they don't want to impact production. Otherwise, they could probably have done it in 15 to 20 minutes.

How was the initial setup?

The initial setup is really straightforward. Very easy.

In terms of implementation strategy, Cisco has a concept called the Zero Touch installation, where you just connect the fabric and it actually starts discovering its own fabric. The implementation strategy is to install ACI in a silo'ed environment first, set all the policies there, and then connect your existing network parallel to ACI so that the network has a redundant connection to ACI. Then you gradually move your network connections from the legacy to ACI. This is how Cisco recommends an implementation be done.

It usually doesn't take more than a week for all that, max. We usually do it with two people, and we do it very smoothly. Usually, when you bring the fabric up, you have to make a lot of policies, including software profiles and the like. That is time-consuming work, but once it's done you can just recall them again and again in the customer's environment. That's the only thing that we need two people for. After that, when you're done, a single engineer can get migrate the network to ACI.

Maintenance of ACI is really easy, to decommission a leaf switch or a spine switch. When you decommission a switch from your existing ACI fabric, it's straightforward. In general one engineer is required for maintenance with a second engineer as a backup. Maintenance is really easy with ACI. Even if you're upgrading your fabric to new software, it's straightforward because they have built-in connections within the fabric. There is zero downtime. We have done it many times with zero downtime in a production environment.

What was our ROI?

One of our customers is a petroleum development company in the Middle East. They have seen very good ROI by implementing ACI. Their compute was relatively very new and their network was relatively very old. They saw very good ROI by having a very good, stable fabric that gives them very good response time on the network side.

The second part is that they wanted to implement a cloud solution which would support their existing Hyper-V and Microsoft. That was where the customer saw a good ROI on the investment. They were very happy with Cisco ACI.

What's my experience with pricing, setup cost, and licensing?

I'm not involved in the pricing part, but Cisco has come up with Smart Licensing, which is a bit higher. But now they're giving the customers very good discount rates to bring customers in.

Which other solutions did I evaluate?

We are using VMware NSX in our environment as well. We had a customer that was using both NSX and ACI in their environment.

The good thing about NSX is that it has really strong support for the virtualized environment. And now the security is an integral part of their network solution, with the Distributed Firewall and the Edge Firewall. But it has some of its own issues because in a virtual environment, when you have big data centers where there is a lot of traffic coming in from the routing site, it's usually not up to that mark. Cisco has better visibility into that. If I compare it with ACI, ACI has a very strong routing component, but it has its own shortcomings.

In terms of rating NSX, I'm going to be biased because I work in ACI. I like NSX as well, it is a great product. It has a lot of flexibility because you can use existing servers and install NSX on them and It works pretty well. I rate NSX at six out of ten. The reason I rate it a little bit less than ACI is because its only native, strong support is for VMware. ACI has native support for Hyper-V and VMware.

What other advice do I have?

Plan. Don't jump to a conclusion, plan it. You should first know your infrastructure and what your targets are, what you are trying to implement because, when you are more security focused, Cisco ACI can give you a tough in implementation. If you are more into converging your fabric, you want to your data center to be very converged into a single fabric with fast convergence times, go for ACI. There are different use cases based on what the customer's priorities are. So plan well, know your target, what you're trying to achieve. If you want to deploy more VMs faster, go for NSX. Don't go for ACI for that.

As a Cisco partner, our company does training and implementations on Cisco's behalf for different customers. Sometimes Cisco needs some advanced services to help the customer to do the implementation. Sometimes the customer has a problem with the ACI service. It's a new technology so some customers are really confused with the new terms and the new deployment style of ACI. They cannot compare it with their legacy solution, and when they start comparing it they get confused. We help with how the migration should be done from the legacy to ACI.

I would rate Cisco ACI at seven out of ten. The good thing about ACI is its integration with the different hypervisors. It supports VMware, Hyper-V, and KVM. When a customer is looking into a heterogeneous environment where ACI is involved and the other part is VMware for their NSX SDN, VMware has now come up with its own heterogeneous system, NSX-V. They realized very late that they had a problem, that they could only integrate with the VMware environment. Where Cisco ACI had an edge over them was that they could integrate with the virtual environment of Hyper-V, VMware, and KVM very well. And ACI automation also helps deploy and do the integration very easily in the virtual compute part of the network.

Also with ACI, the performance of switches is really good - it's actually a hardware-based SDN - and the delays are very small. The performance is really good with ACI.

But ACI has its own shortcomings such as not having very strong native support for security. Customers always have to look into third-party security solutions to implement good security within their software-defined data centers. If you compare it with NSX, NSX comes with the Distributed Firewall and the Edge Firewall. It has its own native security. This is where ACI lacks a lot because you have to implement contracts and filters. It's a very tricky part. You have to be very careful when implementing the contracts. If you make a little mistake, it can cause a good amount troubleshooting time to debug the issue. That's the missing part.

Disclosure: My company has a business relationship with this vendor other than being a customer: Partner.
1 visitor found this review helpful
4 Comments
MUNEER AHMADReal UserTOP 10

I totally agree with Imran Alvi.
ACI provides the ability to manage the data center from a single platform and to provide facilities to automate processes and the ability to integrate with other Cisco devices as well as 3rd party products. The integration with hypervisor is exceptional. All in all, ACI gives the adaptability to deal with the entire data center from a single pane of glass.

27 June 19
Muneeb AliUser

An intensive review around the Cisco SDN: ACI. It grows and defines the evolution of ACI with time. The challenges that put engineers into it and flexibility in a virtual world. The heterogeneous nature and integration of ACI speaks for itself. The wisdom in this review depicts the plan guide for an enterprise when moving towards or selecting the SDN environment.

27 June 19
Muhammad Usman NazeerReal UserTOP 10

This is a very realistic review. Why do organizations choose any SDN solution and what type of virtualized technology do they want to integrate? On top of that, what shortcomings will they face for implementing this technology?

27 June 19
Syed Adeel QamarReal UserTOP 10

While ACI is good for underlay fabric but still it's a hardware dependent solution and there are other vendors in the space which have come leaps and bounds to come up with Leaf & Spine based DC Fabrics with VXLAN/EVPN, which was and still remains the MAIN selling point/use case for ACI.
Almost 100% of deployments that I have come across are still deployed in "NETWORK CENTRIC" as one big switch with no L4-L7 service chaining which was supposed to make it "APPLICATION CENTRIC".

I have seen many network engineers find it really, really hard to adopt/digest ACI in the way it operates and is configured. Recently I have seen many customers deploying Leaf and Spine fabric based on N9K's operating in NX-OS mode because of ease of operation etc.

The future is Network Virtualization.

28 June 19
Guest
Sign Up with Email