ACI as the foundation of the software define datacenter
September 10, 2020

ACI as the foundation of the software define datacenter

Anonymous | TrustRadius Reviewer
Score 8 out of 10
Vetted Review
Verified User

Overall Satisfaction with Cisco Application Centric Infrastructure (Cisco ACI)

We use ACI in our new SDDC (Software Defined Data Center) which is used in three different data center locations in Europe to be able to deliver a hybrid cloud to our internal customers worldwide. This is a network area that is deployed in parallel to our existing legacy network.
  • Automated deployment of the network
  • Microsegmentation inside of VLANs
  • Better monitoring options
  • No redundancy in the deployment (if an error is deployed it's everywhere at the same time)
  • Complete change of mind of the network operations team needed
  • Very complex deployment if done manually (needs automation)
  • There was a high initial investment in the hardware.
  • Due to the automated and standardized configuration, we are much faster in deploying changes. Even possible as self-service for the customer.
  • We have fewer problems caused by human errors due to the automated configuration approach.
We integrated the Cisco Firepower Firewall in the SDDC. The firewall and the ACI controller exchange the EPG information. The EPGs are then configuration objects on the firewall and are always up to date.
We integrated ACI with Splunk which gives users a much better monitoring experience then we have with SNMP traps with the legacy network.
As ACI is designed with the purpose to automate the network deployment this is much easier as with the legacy network. Everything is done via REST API calls.
As ACI uses a centralized controller for the complete network all changes are done at the same time at all devices reducing the deployments significantly.
The scalability of ACI is absolutely sufficient in most parts. Only when only using contracts and not a firewall there might be a limitation in scalability. If the uplink bandwidth of 2x 100G is not sufficient the only way to upgrade the uplink bandwidth is to deploy additional Spines even if there are still ports available on the already deployed spines.
The micro-segmentation options allow you to easily enforce security within the same subnet. In our case, this greatly increases security. Since we are integrating different customers and stages (production development and testing) into ACI, which were previously separated by a firewall, we would reduce security if we only passed on contracts. With contracts in ACI, you get ACL-like security and not stateful security like a firewall. This weak point can be remedied by integrating a firewall.
An alternative to ACI would be to use VMware NSX-T. The advantage of NSX-T is that the micro-segmentation is implemented with a distributed firewall and not with ACL. The disadvantages are that you would still need an additional pyhsical network as underlay that has to be managed independent of the overlay and that you can only integrate virtualised systems that are supported from the product and bare metal workload that has additional software installed to support NSX-T.

With ACI underlay and overlay are configured with the same REST API and all devices can be integrated.
It's well suited for very dynamic workload or virtualised workloads where there is constant change needed in the configuration of the network environment or firewall rules. If the firewall, like in our case is integrated in the SDDC and the EPG information is exchanged between ACI und Firewall there is an increased security as the firewall is not anymore depending on IP addresses. IPs removed from an EPG are immidately removed from the firewall rule.
For the old consistent parts like mainframe or storage it has less of an advantage as the necessary changes are very view.