PacketLoss.tech
ES Get in touch

Cisco

Why I recommend it for enterprise networks that have outgrown SMB consolidation

Cisco logo
StackCatalyst · IOS-XE · FTD/FMC CertCCNA base · CCNP for the lead RegionGlobal · Enterprise-mature

I’ve been working in Cisco environments since 2018, across IOS-XE 17.x on Catalyst 9300 and 9500 switches, ASA 5516-X to Firepower 1010 firewall migrations, and FMC 7.x policy work. This is the case I make to clients evaluating their next enterprise refresh, and the cost and complexity no one in marketing prints.

Why Cisco works

Four reasons hold up across deployments.

01

Operations ecosystem depth

Catalyst Center (assurance, SDA, automation) plus ISE (identity-centric NAC) plus Umbrella (DNS-layer security) plus ThousandEyes (path visibility). Each is competitive on its own; the value comes from the fact that the four share state.

Ran a 4,000-endpoint SDA fabric migration where ISE handled segmentation policy and Catalyst Center handled provisioning. The thing that justifies the cost is that all four tools share state — one policy change, four enforcement surfaces.

02

Labor market + ecosystem

CCNA and CCNP are the most-recognized network certs globally. Hiring is easier, partners are everywhere, and any senior network hire has already touched IOS in some form. The training material has decades behind it.

Customer's senior network engineer already had a CCNP — onboarding to FMC took a week, not a month. The skills are commodity in a way Fortinet's NSE simply isn't yet.

03

IOS-XE maturity

IOS-XE 17.x is genuinely good. Programmability via NETCONF, YANG, and RESTCONF; model-driven telemetry instead of SNMP scraping; Day-0 / ZTP workflows for switch onboarding; Guest Shell for on-box Python automation. The traditional CLI is still there for the muscle-memory crowd.

Pushed a 200-switch config change via Catalyst Center templates over NETCONF in roughly 30 minutes. Same change manually would have been a two-day maintenance window.

04

FTD/FMC + Umbrella defense-in-depth

FTD on Firepower hardware (1010, 2100, 4100 series) for L4–L7 firewall and IPS. FMC for centralized policy across the fleet. Umbrella for DNS-layer outbound filtering, which kills phishing and C2 callbacks before TCP even completes the handshake.

Umbrella blocked roughly 8,400 outbound DNS lookups to known-malicious domains in one week on a 500-user customer. Most never hit a packet-inspection rule because they died at DNS.

Where it fits best

Not every shop. The fit is sharpest when one of these describes you:

Multi-site enterprise

Five or more sites with consistent topology and an MPLS or SD-WAN backbone. Cisco's automation story (Catalyst Center templates, vManage SD-WAN) earns its keep here, where the labor cost of doing it by hand stops being negotiable.

Identity-driven segmentation

If you want SGTs and an SDA fabric, ISE is the path. The analogous story on Fortinet's side is younger and the tooling around policy authoring is thinner.

Existing Cisco shops

If your network team already runs IOS, switching off Cisco is a labor-market problem more than a tech problem. The retraining cost is real and the hiring pipeline shifts under you for the first 12–18 months.

Compliance-heavy verticals

Finance, federal, large healthcare. Cisco's audit posture is mature; FedRAMP and FIPS-validated SKUs are abundant in the product line. The auditor has seen the documentation before.

If none of these describe you — you’re under 500 users, single site, want one console — Fortinet is the more honest conversation.

The honest tradeoffs

Marketing won’t print these. I have, in production. Tap to expand.

CostList pricing runs 30–50% above Fortinet on comparable throughput

Smart Licensing adds subscription fees on top of CapEx; Catalyst Center is per-device per-year and the tier (Essentials / Advantage / Premier) compounds on every switch in the fabric. Get your reseller to model 3-year and 5-year TCO at the bundle level, not the SKU level. The SKU-level number always looks fine; the bundle-level number is what shows up on the renewal.

LicenseSmart Licensing was supposed to simplify; in practice it's a parallel layer

Smart Licensing sits on top of the DNA Essentials / Advantage / Premier tiering rather than replacing it, and the Smart Account / Virtual Account model takes orientation. New deployments hit a confusion window for the first 90 days where the team is figuring out which features map to which tier, which licenses live in which account, and what counts against entitlement when a device reloads. Allocate time in the project plan, not just on the PO.

FMC scaleFMC UI gets sluggish past ~50 managed devices

Past roughly 200 devices, you're staging policy changes overnight to avoid commit timeouts and waiting on deploys that used to take minutes. Plan FMC sizing early or migrate to Cisco Defense Orchestrator (cloud-managed) before the fleet outgrows the on-prem appliance. Sizing this after you've already bought is expensive.

SprawlSeven UIs, and you need to know which one owns which truth

Catalyst Center, ISE, Umbrella, Meraki Dashboard, FMC, vManage, Intersight, ThousandEyes. Each is excellent in isolation. Together they're seven admin surfaces and the "we'll just unify in Catalyst Center" story has been promised for a decade and is partially true. Walking in without a clear ops model — who owns what, who logs in where — means your team will rediscover the answer in production at 2am.

Cisco's strength is also its complexity. Walking in with a clear ops model is the difference between getting value from the ecosystem and drowning in it.

Is it right for your company?

Four dimensions to check before you commit:

  • Size: 500–10,000+ employees. Below 500, the TCO doesn’t pencil out against Fortinet or a Meraki-only deployment for the same use case. Above 10,000, the conversation needs a partner with deployment muscle, not a solo consultant, but the platform absolutely scales.
  • IT maturity: Dedicated network and security engineers, not a single help-desk-plus-MSP shop. Someone on the team needs to own routing, someone needs to own firewall policy, and ideally those are different people. A two-person IT team won’t get full value from Catalyst Center.
  • Existing stack: Ideally already on Cisco; second-best, willing to commit to a multi-year roadmap including hiring and training. Switching off Cisco mid-stream is rarely a tech problem and usually a people problem.
  • Geography: Global. Enterprise channel is strong everywhere. LATAM has solid Cisco partner depth in MX, CO, and BR, with FedRAMP-equivalent local certifications available in several countries.

If three of the four match, Cisco is on the shortlist. If all four match and you’re past 1,500 users, it’s probably the right answer.

Who implements it

Internally, the lead implementer should be a senior network engineer with a CCNP, or working actively toward one. For multi-site SDA fabric work the architecture lead really should be CCIE-level — not as a credential check but because the design decisions made on day one (fabric size, control plane placement, ISE policy model, segmentation taxonomy) are expensive to refactor once production traffic depends on them. A team without that depth in-house will spend the first year discovering tradeoffs the documentation doesn’t surface.

Cisco Partner involvement on first deployment is standard practice and not really optional for first-time SDA fabric work. The Partner Specializations exist for a reason: the gap between what the docs say and what works in production is wider on Cisco than on Fortinet, and a partner who has shipped this five times will save you 80% of the discovery cost. Independent consultants (myself included) play a role too, especially for the firewall and Umbrella layers where the deployment shape is more contained.

If you’re standing up your first SDA fabric or migrating off ASA to FTD, let’s talk. Start with a 30-minute scoping call; if it’s a fit, we’ll spec the engagement from there.

First steps

  1. Read the FortiGate field guide for the SMB-consolidation alternative first. If you're a candidate for Fortinet (under 500 users, single site, small team, no SOC), finish that conversation before committing to Cisco's TCO. Worst case, you confirm Cisco is the answer; best case, you save six figures a year.
  2. Pick the platform layer that matters most and start there. The fastest way to get bogged down is trying to deploy the whole ecosystem at once. My current cutoffs:
    • Catalyst switching (9200 / 9300 / 9500) — the foundation. Get the switching layer stable before you layer anything on top.
    • FTD/FMC firewall — if you're replacing ASA or coming from Palo. Standalone deployment works fine; FMC scale-out comes later.
    • Catalyst Center + ISE — only after switching and firewall are stable. SDA fabric is a 6–12 month project on top of a working baseline, not the first move.
    • Umbrella — easy win, can be done independently as a security uplift. DNS-layer filtering with no on-prem footprint and a free trial worth running.
  3. Engage a Cisco Partner for the first deployment. Cisco Partner Specializations exist for a reason — the gap between what the docs say and what works in production is wider than Fortinet's. A specialized partner has hit the edge cases already and the time you save in discovery is worth more than the partner margin.

Beyond first steps: I take on Cisco firewall and switching deployment, migration, and audit work for enterprise clients in LATAM and remote globally. Talk to me about your deployment — I’ll tell you in 30 minutes whether it’s a Cisco job, a Fortinet job, or a “fix what you already have” job.