Aruba CX 10000 with Pensando At-a-Glance

This content was created and contributed by Aruba.

The Aruba CX 10000 Series Switch with Pensando represents a new category of data center switches that combines best-of-breed Aruba data center L2/3 switching with the industry's only, fully programmable DPU (Pensando Elba) that delivers stateful software-defined services inline, at scale, with wire-rate performance and orders of magnitude scale and performance improvements over traditional data center L2/3 switches at a fraction of their TCO.

Market context

While data center networking has evolved over the past decade, providing higher-performing 25/100/400G leafspine topologies to address the volume and velocity of emerging application architectures, their associated services architectures have not. Centralized security appliances are inefficient and expensive at inspecting and protecting east-west application traffic within the data center. Hair-pinning traffic to an appliance sitting at the data center edge comes with heavy performance and cost penalties. This problem is exacerbated by microservices-based applications, where traffic may not even leave a physical host to go from one service to another. This means some application traffic may never be inspected by a hardware firewall, IPS, or other security device—leaving enterprises vulnerable to attacks from within the enterprise itself.

Aruba CX 10000 Series Switch with Pensando

The Aruba CX 10000 provides an entirely new switching solution to overcome these legacy limitations. The solution allows operators to extend the capabilities of the leaf-spine fabric to natively provide 800G of distributed stateful firewall for east-west traffic, zero-trust segmentation, pervasive telemetry, and in the future stateful NAT, encryption services. 

The solution delivers a unique blend of performance, scale, and automation for distributing advanced networking and security services where it's impractical and costly to force traffic back and forth across the network to a centralized policy enforcement point and instead simply applies these services at the services network access layer edge, where the applications are running.

Aruba CX 10000 customer benefits

• Improves security posture and limits appliance sprawl
• Extends Zero Trust Segmentation deeper into the data center for any type of host
• Delivers isolation and multi-tenancy for virtualized, bare-metal, or containerized workloads
• Optimizes network traffic flows, bandwidth and performance
• Overcomes centralized networking service layer chokepoints, reducing downtime
• Simplifies operations via unified network and security automation and management
• Addresses deployments where security agents can't be deployed into servers
• Accelerates infrastructure service provisioning
• Significantly lower capex/opex expenditure on security and services

Aruba CX 10000 solution details

The Aruba CX 10000 is high-performance, access layer/ leaf data center switch that provides 3.2Tbps of switching capacity, 48 ports of line rate 10/25GbE (SFP/SFP+/SFP28), and 6 40/100GbE ports (QSFP+/QSFP28) with 800G of stateful services bandwidth through dual Pensando dual Data Processing Units (DPU) in a compact 1U form factor.

Key features:

• High performance T3 switching ASIC, 3.2Tbps, 32MB shared buffer
• High availability with industry leading VSX redundancy, and redundant power and fans
• Aruba AOS-CX automation, programmability using built-in REST APIs and Python scripts
• Advanced Layer 2/3 feature set includes BGP, OSPF, VRFLite, and IPv6
• Dynamic VXLAN with BGP-EVPN for deep segmentation in data center
• Dual Pensando Data Processing Units (DPU) integrated into the Aruba CX 10000

These P4 programmable processors provide an optimized software stack for networking, security services at the network-server edge and are the foundation for all stateful services delivery on the CX10000. The processors are centrally managed and monitored by the Policy and Service Manager (PSM).

Managing the Aruba CX10000

IT operations can leverage Aruba Fabric Composer for unified network, security policy configuration Aruba CX 10000. All switch and network configurations and firewall policy definitions for both the switch and distributed firewall can be handled by Aruba Fabric Composer.

This management includes spine/leaf creation, VSX (MLAG) switch provisioning, OSPF/BGP underlay and BGP EVPN overlay provisioning, server port provisioning, storage QoS provisioning, and end to end visualization that spans switches, servers, storage devices, NICs, hypervisors, and even VMs. Organizations with dedicated SecOps teams can also leverage Policy and Services and Manager (PSM) based on specific security roles and responsibilities. If the Aruba CX 10000 is deployed as part of a multivendor brownfield fabric as the leaf/access layer, Policy and Services Manager coupled with integrations with DevOps Infrastructure as code tools, will enable both services and network policy to be uniformly orchestrated.

Aruba CX 10000 use cases

On-premises enterprise data centers and private cloud

Traditional data center architectures with centralized, hardware-based security appliances are being pushed to their breaking point—imposing performance, agility, and cost burdens that are not sustainable. The CX 10000 provides a compelling architectural alternative that distributes these advanced services to the data center edge, with unified network and security automation and policy management. This new solution optimizes network bandwidth and performance by not having to trombone local traffic to a centralized chokepoint, which helps improve security posture while limiting appliance sprawl complexity and cost.

Co-location edges - securely interconnecting cloud providers

The cost of encrypting access to the public cloud using traditional appliances is exorbitant. Many customers have a compliance mandate to encrypt all access to public cloud resources. The CX 10000 can provide routing, with firewall, and in the future line-rate encryption and NAT for public cloud dedicated private peering connections to Azure, AWS, Oracle, IBM Cloud or GCP from either on-prem or colocation data centers. This solution radically lowers TCO, provides an optimized security architecture, and reduces IT blast radius and risk.

Security ecosystem integration

The Aruba CX 10000 integrates via a Rest API and provides flow data to a wide variety of security and network performance tools including Advanced Security ML (XDR), Application Dependency Mapping (ADM), Network Performance Management (NPM), SIEM/SOAR, firewall compliance rules, and identity group mapping tools. For example, the CX 10000 can provide full visibility to all east-west traffic flows in the data center, and as such, it is the source of telemetry truth that XDR ML engines require for their service to work. The CX 10000 can stream all the telemetry for these traffic flows in the data center (complimented by existing north-south Firewall telemetry), providing the data required for the XDR engines to find lateral malware movement, insider attacks, command and control traffic, or an external actor within the data center.

HPE and Pensando announcement synergy

The Aruba CX 10000 complements the recent introduction of the Pensando Distributed Services Platform (DSP) for HPE Servers, delivered as a PCI form factor option in HPE ProLiant servers, HPE Apollo systems, and HPE Edgeline Converged Edge systems. The Aruba CX 10000 extends the implementation of these intelligent services into the data center network fabric, addressing a wider range of use cases, including brownfield deployments or infrastructure agnostic/ heterogenous environments, to complement and augment SmartNIC deployments.