What is our primary use case?
We use Cisco ACI for data center software-defined networking. Instead of restricting ourselves to older Cisco data center networking like 6500 switches for servers or Nexus devices or 6500 core switches, I personally like the flexibility of Cisco ACI to grow the data center footprint and stability Cisco was promising with new 6500 like architecture. That is when I decided to go for software-defined networking, where you can program things and do it better.
We also had something coming up on the horizon where two different MUFG entities were likely to come together and start consolidating Infrastructure, namely MUFG Bank and MUFG Securities. Cisco ACI is like cloud data center networking or cloud networking in your private DCs, where you have a multi-tenancy. The real use case for Cisco ACI was to segment two different entities and put them on the same network hardware but still have a completely segregated separate environment. That was the reason why we went for Cisco ACI.
How has it helped my organization?
Cisco ACI has saved us more than 50% of the cost in terms of what we do in networking. Without Cisco ACI, we would have needed two distinct networking stacks, two cores, and two different server connectivity platforms for the two entities I manage today as Head of Network for MUFG Bank and Securities
We are now in a common data center for both entities. Instead of having a duplicate of everything in a data center, I can run two different entities on same networking platform and have the flexibility of the cloud within my own DC.
What is most valuable?
The solution's most valuable feature is its programmability and the automation you can do for large changes. It's not that automation wasn't available on any of the other Cisco platforms, like Cisco NX-OS, but not many people did it, Network Automation was just buzz word, but with MSO/NDO this automation becomes real for DC networking Stack. Cisco ACI is built on data application-centric infrastructure with automation and Cisco is bring more automation be working with partners like Nutanix etc
We have not implemented Cisco ACI with APIC and spine and leaf in the application centric mode but in network centric mode be use another Cisco platform for micro-segmentation very successfully in protecting out internal environment. Even though it was a painful journey for us, right from day one, we went for a Cisco multi-site implementation with Cisco's MSO (Multi-Site Orchestrator), which is today called NDO. We configured and deployed Cisco ACI through an NDO.
The way you can expand the platform within the data center allows you to have a top-of-the-row design instead of centralizing everything in one frame and one central network rack.
You can have leaf switches in the cabinet where they are needed most. You can have a top-of-the-row design or within-a-row design instead of a centralized design. That architecture allows you to have spines in a central place, but leaves can be distributed wherever you need them.
What needs improvement?
Cisco's MSO (Multi-Site Orchestrator) or NDO has room for improvement. Cisco monitors ACI through a product called NDI. I find it very frustrating that Cisco has multiple monitoring platforms. It has DNAC for monitoring Cisco NX-OS, campus switches, and any other routers and switches you would have in the environment. That same thing does not work for Cisco ACI monitoring. MEraki cloudbasd platform for Meraki which will get extended to Campus monitoring, to be honest Cisco never got Monitoring 100% right from days of CiscoWorks to Prime to current platforms.
To monitor and manage Cisco ACI, you need to have another platform called NDI and Cisco Dashboard Insights. What frustrates me about Cisco is that it never has a central, single pane of glass platform for all its solutions. It has one thing for Cisco ACI and another thing for campus switches. I would really appreciate it if Cisco came up with something centralized to monitor everything.
I haven't thought about anything since the Cisco NDO is quite advanced, and you can deploy your cloud networking through it. I don't know how many people use it. I might explore it as my cloud orchestration tool in the future. We do a lot of cloud automation using our scripts like TerraForm, but I would like to see people using NDO more.
We could have more case studies on how many people use NDO for their cloud orchestration. That might be a much easier journey for people when they move from an on-premises data center into a cloud and move from one cloud to another cloud. That is where I personally see an orchestrator being effectively used for multiple deployments.
For how long have I used the solution?
I have been using Cisco ACI for four and a half years.
What do I think about the stability of the solution?
Cisco ACI is a highly stable solution. Cisco has come up with a product that is as stable as 6500. We have seen a lot of stability issues in Cisco Nexus switches. When Cisco introduced Cisco Nexus in the plants, it wasn't as stable a platform as 6500 would have been. We had 6500 switches running for 19 years without any downtime. Cisco ACI follows the stability of 6500 and provides a stable environment.
Since we implemented Cisco ACI, any outages in my environment were caused by the bugs in Orchestrator. When you deploy a new policy, the bugs in Orchestrator create outages. Over the last four and a half years, Cisco has resolved the bugs within Orchestrator, and the product has stabilized. MUFG is probably among the top five percent of Cisco customers running the latest NDO and Cisco ACI, and we do not have any stability issues.
I rate the solution’s stability ten out of ten.
What do I think about the scalability of the solution?
Scalability was the reason why we went for Cisco ACI instead of Nexus or some other switches. The other reasons were the ease of migration and Cisco ACI's multi-pod environments. You can move the data center however you like from one place to another. Instead of having sites A and B, you can have multiple pods within site A.
That offers you a way to move away from one data center to another. It gives an organization full flexibility if they want to move away. It's not that you have to redeploy everything completely, but you can extend from one site to another without causing any business outages.
Around 5,500 users use the solution extensively in our organization. We have another data center consolidation coming up. With that consolidation, my old networking stack in one of the old data centers will be completely gone. Everything in that data center will be moved into Cisco ACI.
I rate the solution’s scalability ten out of ten.
How are customer service and support?
My experience with the solution's technical support has been quite good. Sometimes, we find that some of the engineers we get from technical support do not know about the latest version of Cisco NDO. Cisco still has to train its engineers on the latest version because they are more used to the older versions.
Sometimes, my own engineers find it funny that they know more than Cisco engineers because we use the solution's latest version. It's not that they don't know it. They are not completely familiar with their own product. It could be because we reached out to Cisco on the weekend, and the engineers available were not specialists in the product's latest version.
I think whatever Cisco has done in the technical support background has improved recently. I know that Cisco has started using artificial intelligence in its TAC environment. Since some AI advises their technical support staff, the meantime to resolve has drastically reduced for me as a customer.
How would you rate customer service and support?
Which solution did I use previously and why did I switch?
We previously used Cisco 6500 switches in our data center. It was a mix of Cisco 6500 and Cisco Nexus switching for our data center. We switched to Cisco ACI because I wanted a multi-tenancy environment as two entities were coming together. I like the way you can change things within Cisco ACI. I also like the programmability or automation capability that this platform gives me.
How was the initial setup?
The solution's initial setup was easy because we went for network-centric implementation. When we deployed the solution, Cisco MSO (Multi-Site Orchestrator) was a new product in the market. It was quite buggy, and we have had some production outages because of the bugs in the product.
It took us longer than expected for us to deploy the solution because the COVID pandemic struck while we were implementing Cisco ACI. All the plans to deploy it were disrupted, but we managed to deploy it within a year instead of six months. If it hadn't been for COVID, we would have finished our project as planned within six months.
The deployment process was more about understanding the current network design and seeing how it will work within ACI. We considered what sort of tenancy we would need for one organization, how we carve out the tenancy for another organization, how many tenants we need, and how we maintain all this aggregation and some restructuring. The process was quite involved. However, once everybody grasped it, it was quite easy for us.
A core team of four people were involved in the solution’s deployment.
On a scale from one to ten, where one is difficult and ten is easy, I rate the solution's initial setup an eight out of ten.
What about the implementation team?
I had my own team, along with a third-party reseller, to deploy Cisco ACI. The third-party reseller's name then was Dimension Data, which NTT had purchased. I had a team of architects from Dimension Data who worked extensively with my team to deploy it for us.
What was our ROI?
We have seen a return on investment with Cisco ACI. I could get rid of another entity's data center. MUFG Bank was another entity that ran a traditional Cisco data center stack. When we came together as two different entities and consolidated our data center, I didn't have to buy any kit for MUFG Bank.
The return on investment for me is that I run two different entities, MUFG Bank and MUFG Securities, on the same hardware. It is a 50% return on investment for each entity. One entity originally invested in the platform, another entity came as an additional tenant, and both started sharing the cost of the platform.
It's a huge benefit for anybody trying to acquire additional businesses, and if there is a regulatory need to keep those environments separate from each other. There are huge security benefits as well with multi-tenancy. Both tenants remain separate. If one is hacked or something happens to one tenant, the other one still remains separate and protected.
If you want two different administrative teams, you can have one network team manage one tenant and another network team manage the other tenant. You have all the advantages of a cloud platform in your own data center.
What's my experience with pricing, setup cost, and licensing?
It is not the cheapest platform but one network outage and Bank could be loosing millions and that's how we have to think
On a scale from one to ten, where one is cheap and ten is expensive, I rate the solution's pricing a seven out of ten.
Which other solutions did I evaluate?
Before choosing Cisco ACI, we did look at some other vendors. However, my team has always been a network team that has hands-on experience with Cisco technologies. I felt comfortable because we had managed the Cisco environment for a long time. We know how good the stability of the environment is.
It was not an easy decision to choose Cisco's new platform considering you need to train your all network engineers to think different from traditional way they have been doing networking. I met some of the top-level VPs then and decided to go for Cisco. I explored the platform in Cisco CPOC labs and looked at the product's capability.
What other advice do I have?
I am working with the latest version of Cisco ACI. I don't like the policy-driven approach of Cisco ACI. I have deployed Cisco ACI to get multi-tenancy and other features, but not the policy-driven features. Cisco ACI follows an application-centric approach that segregates all your applications within the ACI. The solution's policy-driven approach makes it really complicated to administer an ACI infrastructure.
As a network team, our run MUFG ACI is in a more network-centric mode, where it is like a network that is known to us. It facilitates network expansion and allows me to have multi-tenancy and other nice features. I do micro-segmentation that policy driven approach using another Cisco product called Cisco Secure Workload or Cisco Tetration as it used to be called.
I took the decision to onboard Cisco Secure Workload or Cisco Tetration. We use that product for any segmentation or micro-segmentation with in internal enviroment, have have onboarded product and my IT RSC team has successfully deployed for many critical applications
I have an ACI expert on my team to maintain the solution. Cisco ACI is completely new for a normal network engineer who is used to racking, stacking, and configuring switches from scratch using the command line. It's rocket science for a normal network engineer because the way you do things in Cisco ACI is different.
You do not configure a leaf switch or a spine switch. You just connect and configure them to an Orchestrator. This was more of an eye-opening journey for network engineers, as it showed how networks are changing and how on-premise networks are transforming into cloud-like. I had to retrain my entire team through Cisco ACI.
There have been a lot of in-house sessions where people were learning from each other, training each other, and taking some Cisco courses as well. I think it was a journey worth embarking on over four and a half years. People have changed their mindsets, become experts, and can now manage the platform on their own.
I don't know any other platform that I would have chosen for such a critical use case. You have to consider that the network is the core of everything. You cannot afford an outage on a network because I have 500 applications running within my network. If something goes wrong with the network, the business suffers.
The cost of network outages for businesses is quite high. A single two-hour outage within my network coudl cost us million as an investment bank. Since the cost of network outage is high, we cannot buy just any technology. We need a robust solution that guarantees it will always work.
I would advise new users to go for Cisco in a network-centric mode. It offers you all the flexibility of Cisco ACI without the complication of application-centric infrastructure with EPGs. If you run one single application within Cisco ACI, the application-centric infrastructure or policy-based element will work, where you restrict one from talking to the other.
Suppose you work for a complicated organization like an investment bank, where we have over 300 applications. If somebody goes for an application-centric architecture within Cisco ACI, they will spend another three to four years trying to get it together.
My advice would be to go for the other capabilities of Cisco ACI and not for its segmentation or micro-segmentation capabilities. Users can deploy Cisco Secure Workload for their micro-segmentation needs.
Overall, I rate Cisco ACI ten out of ten.
Which deployment model are you using for this solution?
On-premises