Create a Post

IaaS for cisco ACI

Why is there a cost of integrating Cisco ACI and Check Point?
What do we as customers actually gain from it?

All other IaaS services from check point actually process the traffic itself.
Within ACI i do need to pay for the number of leaf switches within my APIC and yet i do need a VSX to process the traffic.

In my own case i do have 3 MDS with multiple VSX connected to ACI fabric with 100 Leaf switches in the main DC.
According to the licens i would need to buy 3 x CPSG-VSEC-ACI-100 or atleast i hope its like that and not for each CMA.
And as far as i can see one and only thing i actually get is to be able to map be able to use EPG within the policy.
I still need to buy all the firewalls to actually handle the traffic.

If this is compared to like vmware NSX, well then i can actually process the traffic within vmware.
And i do not need to buy the firewalls seperately.

Why dont do it like a normal azure/aws etc, be able to get the EPG info for free.
And if you want to run it via Check Point you add your firewalls and the benifit would be the same.
Within normal ACI contracts its no advance threatprevention and if you want IPS etc then you need to send the traffic to your check point firewall.
0 Kudos
4 Replies

Hi Magnus,
You need to purchase licensing according to the number of leafs you have. And not according to the number of CMAs. E,g, if you have 100 leafs operated by 1 management or 100 leafs operated by MDS with 3 CMAs it would still be the same license that you would need to purchase.

Feel free to ping me directly for any additional inquiry at 

0 Kudos

Thanks for clarifing that, but in this case it would be more like 300 CMA on multiple MDS within 100 leafs, so they do not fit in one MDS.

Please clarify the reason why there is a licens needed from this and what is the actual benifit from this is seen from a customer.
Because its simply not matchning the other licenses as those licens actually serv a puropse and passes traffic.
This seams to give nothing else then actually beeing able to connect the APIC and then build rules on it.
Check points other "mapping" features are included, such as map up the AD and more and more dynamic objects such as office365.
0 Kudos

Hi Magnus,
As much as I can understand your point, please note that the ACI licensing (and the capabilities it provides on ACI) could not be compared with other cloud products we have (it is a different offer). I will be happy to coordinate a meeting to further discuss.



0 Kudos

i would say that the point, i dont see what i actually gain from paying it. what capabilities do i get? other then map the info.
I can map vmware, hyper v, openstack etc for free, its first when i actually want to press traffic within check point that is ontop of that plattform i need to pay a licens for it.
But when it comes to ACI i need to pay to map it, but even if i pay for it i will not be able to press traffic within it.
Futher more the ACI licenses are also the double cost from other iaas licenses and increase the more leafs i have. while in any other iaas i do get more check point performance the more licenses i do have.

In this case iam looking for an offical answer not a one off to us as an MSSP. because i do think more ppl are wondering the same.