Aruba Networks has announced a new Top of Rack (ToR) switch, the CX 10000, that includes built-in silicon for running security and network applications directly on the switch. The silicon, which functions as an ASIC or Data Processing Unit (DPU), comes from startup Pensando Systems. Aruba parent company HPE is a strategic investor in Pensando.
The CX 10000 is an L2/L3 ToR switch with 48 10/25Gbps ports and 6 uplink ports of 40/100Gbps. It runs a Broadcom Trident 3 ASIC and comes with Aruba’s AOS network operating system.
It also includes two Pensando DPUs designed to accelerate security and networking services. Each DPU in the switch has a capacity of 400Gbps. This enables a total of 800Gbps throughput for software services to run on the DPUs.
The services that can run on the DPUs include an L4 stateful firewall, telemetry, ERSPAN, and DDoS protection. All of the services are developed by Pensando. Over time, additional services from Pensando will become available, including application-level firewalling, NAT, and IPSec encryption.
Note that Pensando does not support running virtualized applications or services from third parties on the DPUs in the new Aruba switch. If you want firewalling, DDoS protection, and telemetry in the CX 10000, it’s Pensando’s flavors only.
Aruba says the Pensando services can be managed using Aruba Fabric Composer, a software package for managing and automating Aruba switches.
The Pensando DPUs are programmable using P4, an open-source language now being developed under the auspices of the Open Network Foundation. P4 allows for the customization of how a network device processes packets.
1. Why Put DPUs In A Switch?
A distributed services model makes sense in the data center, where the majority of traffic is going east-west. If you want to do any kind of inspection or analysis, you either bring those capabilities close to the workload, or re-direct the workload’s traffic to some centralized cluster of software or hardware appliances.
VMware’s approach, for example, is to put software-based security controls onto physical servers. This cuts down on extra round trips to some distant inspection cluster, and allows security rules to be more precisely tailored to the workload and its environment.
The tradeoffs are that you have to reserve host CPU and memory resources for the security agents. Plus, the more agents you deploy on more servers, the greater your licensing costs and management burden. You can employ SmartNICs or other hardware offloads on the hosts to avoid resource theft, but that still leaves you with the licensing and management challenges.
Putting security controls in the ToR switch eliminates the need to shunt traffic to an appliance cluster adjacent to the data center, a hairpin design that adds complexity and can potentially degrade performance. It may also be less costly to run security services in a handful of switches as opposed to licensing agents to run on hundreds of servers.
On the downside, it’s not clear to me what happens for flows among VMs or containers on the same physical host. If your security controls reside in the switch, it seems to me those flows would go un-inspected, or you’d have to shunt them up to the switch and back. This brings us back to that hairpin design we were trying to avoid. As always, it comes down to choosing your tradeoffs.
2. Who Is This For?
Aruba says it is targeting two markets with the CX 10000: distributed enterprises (think retail, hospitality, healthcare, etc.), and colocation providers.
3. What’s The Price And Availability?
Aruba is definitely set to compete on price: the CX 10000, including the pair of DPUs, retails for $45,000. That price includes the stateful firewall, ERSPAN, telemetry, and DDoS services.
Aruba expects the CX 10000 to be generally available in January 2022. The company says it has done its best to mitigate impacts from supply chain constraints affecting the technology industry and will have product to ship in 2022. Whether it can ramp to large-scale production is a bridge to be crossed next year.
4. What Happens When You Run Multiple Services On The DPUs?
As mentioned above, Aruba promises up to 800Gbps throughput from the Pensando silicon. If you run the stateful firewall, that’s 800G at your disposal. What if you also want NAT, or line-rate IPSec, or other services?
In an interview with the company, Aruba said there would be a performance impact, but it didn’t have numbers to share just yet. I suppose that’s fair given that those numbers depend on multiple factors including the kinds of services running and the amount of traffic being pumped through the switch.
But “It depends” isn’t a very satisfactory answer if you’re deploying a new rack and counting on a switch to also implement security controls. I expect that Aruba will get those numbers hammered out over time.
Performance-sensitive customers may also want to know if there’s the potential for a bottleneck between the switch ASIC and the DPUs.
5. Aruba In The Data Center?
Aruba is well aware it has work to do to break into the data center market. Best known as a campus Wi-Fi vendor, Aruba is not a brand that leaps to mind for networkers building leaf-spine fabrics.
That said, the company has made significant investments in its networking portfolio. Back in 2017 it revamped its network OS with a modern, modular design. It supports essential data center protocols including VXLAN, EVPN, BGP, OSPF, and IPv6. The company has also launched new access, aggregation, core, and chassis switches over the past several years.
As enterprises refresh their server fleets, Aruba believes there’s an opportunity for the CX 10000 to slip into the rack as well.
I think Aruba has very little to lose with this product. After all, its share of the ToR market can only go up. Meanwhile, the company is declaring that it has created a brand new category of data center switch–it’s mentioned three times in the first four paragraphs of the press release. “Please Mr. Gartner, can we have a Magic Quadrant just for the CX 10000?”
Whether or not that happens, Aruba is giving enterprises a new option for a distributed services design in the data center.
Bonus Question: Why Must I Be Stuck With Pensando’s Services?
I think there’s merit to the idea of putting hardware-accelerated services on a switch, but I feel like Pensando’s closed system is a missed opportunity.
If I’m already a Palo Alto or Checkpoint or Fortinet shop, wouldn’t it make more sense, operationally, to run a virtual instance of my favorite firewall/IPS/whatever on dedicated hardware on a switch instead of a) having to trust that Pensando wrote good firewall code and b) having to learn all of Pensando’s quirks?
I’m sure there are justifiable reasons why the Pensando DPU only runs Pensando applications (that’s the nature of ASIC design, there are fewer integration headaches, a faster time to product delivery, performance enhancements, and so on), but I think Aruba may be limiting the appeal of this approach by forcing customers into Pensando’s walled garden.
