The News: The HPE Aruba CX 10000 Series Switch is developed and promoted as potentially representing a new category of data center (DC) switch that combines Aruba CX data center L2/3 switching with the hardware-accelerated programmable Pensando P4 processor aiming at the goal of delivering stateful services inline, at scale, with wire-rate performance at orders of magnitude improvement over traditional DC L2/3 switches.
The Aruba CX 10000 switching solution targets allowing operators to extend the capabilities of the leaf-spine fabric to natively provide 800G of distributed stateful firewall for east-west traffic, zero-trust segmentation, pervasive telemetry as well as stateful NAT, encryption services in the future. The Aruba CX 10000 will be generally available in January 2022 with pricing starting at $45,000 USD which will include accelerated Stateful Firewall, Zero Trust Segmentation, ERSPAN, Telemetry and DDoS protection. Customers will have the ability to upgrade to a premium services license option at a future date that will include all the base services license functionality plus: IPSec Encryption, NAT, Advanced DDoS and additional network and security services. Read the Aruba Press Release here.
Aruba CX 10000 Series Switch Launch Aims to Shatter Centralized Security Appliance Chokepoints
Analyst Take: Aruba, a HPE company, and Pensando are building on the alliance HPE and Pensando announced in October 2019 after coming out of stealth mode. The partnership aims to move the traditionally data center-bound network, storage, and security services to the server processing the data, potentially eliminating the need for round-trip data transfer to centralized network and security appliances while also delivering lower cost, more efficiency, and higher performance.
An investor in Pensando, HPE led a Series C investment of $145 million in 2019, and the company is integrating Pensando technology across HPE solutions with the objective of providing software-defined computing, networking, storage, and security services to where data is generated.
In 2020, HPE followed on its investment by making Pensando’s Distributed Services Platform available on HPE infrastructure solutions through GreenLake. Further executing on this strategy, HPE has now launched the Aruba CX 10000 Series Switch with Pensando, promoting the new product as an industry breakthrough Distributed Services Switch.
The new offering takes aim at the DC networking services architectures, especially the centralized security appliances that HPE identifies as expensive and inefficient at inspecting and protecting east-west application traffic within the data center. For example, hair-pinning traffic to an appliance sitting at the data center edge comes with heavy performance and cost penalties and can be exacerbated by microservices-based applications, where traffic may not even leave a physical host to go from one service to another. As a result, some application traffic may never be inspected by a hardware firewall, intrusion prevent system (IPS), or other security device, leaving enterprises vulnerable to attacks from within the enterprise itself.
From my perspective, the Aruba CX 10000 can allow enterprise organizations to extend the capabilities of the leaf-spine fabric to natively provide 800G of distributed stateful firewall for east-west traffic, zero-trust segmentation, pervasive telemetry, and in the future stateful NAT, encryption services. The solution is developed to provide a synthesis of performance, scale, and automation for distributing networking and security services where it is costly to force traffic back and forth across the network to a centralized policy enforcement point and instead applies these services at the services network access layer edge, where the applications are running. Key customer benefits of this solution can include:
- Improving security posture and limits appliance sprawl
- Extending Zero Trust Segmentation deeper into the DC for any type of host
- Delivering isolation and multi-tenancy for virtualized, bare-metal, or containerized workloads
Pensando Chairman and industry luminary John Chambers is touting that by eliminating legacy appliances and host software, enterprises can look to deliver 100x the scale and 10x the performance at 1/3 the TCO of traditional approaches.
Aruba CX 10000 Series with Pensando: Key Differentiators and Competitive Concerns
My assessment is that this solution is an attractive offering. Aruba and Pensando are providing IT decision makers a significantly differentiated Distributed Services Switch (DSS) alternative to centralized security appliances (e.g., firewalls) supplied by players such as Palo Alto Networks, Fortinet, Cisco, Juniper, and Check Point. With the Aruba CX 10000 DSS, DC security implementations can minimize centralized networking service layer chokepoints and enable deployments where security agents are not deployable into servers, as well as ease overall security management and automation.
What is less clear is how differentiated the DSS solution is in relation to approaches that use DPU/Smart NIC alternatives to centralized security appliances. For example, NVIDIA’s data processing unit (DPU) can also offload, accelerate, and isolate a broad range of security, advanced networking, and storage services. BlueField DPUs also target delivering secure and accelerated infrastructure for any workload in any environment, including the DC, cloud, and edge realms since they blend computing, full infrastructure-on-chip programmability, and high-performance networking to support the most demanding workloads. Moreover, SmartNICs for example can provide a second computing domain inside the server that could be used for security, orchestration, and control plane tasks, boosting security in relation to running inside the same x86 system domain.
Moreover, I view the new solution as providing an alternative to infrastructure provisioning solutions such as VMWare NSX Data Center, which reproduces the entire network model in software so organizations can rapidly create and provision network topology to deliver applications and services. The NSX proposition is suitable for provisioning the overlay portion of the network, although the underlay portion can require a separate platform. Conversely, HPE Aruba can fulfill both the overlay and underlay provisioning requirements of the network topology, including DC fabrics and distributed networking and security services, which is clearly a key differentiator across the provisioning product category.
Pensando’s P4 programmable processors provide a software stack for networking, security services at the network-server edge and can provide the foundation for all stateful services delivery on the CX10000. The processors are centrally managed and monitored by the Policy and Service Manager (PSM). In addition, IT operations can use Aruba Fabric Composer for unified network, security policy configuration Aruba CX 10000. All switch and network configurations and firewall policy definitions for both the switch and distributed firewall can be handled by Aruba Fabric Composer.
Aruba ESP (Edge Services Platform) is designed to automate, unify, and secure all network edge services across domains including DC, remote, branch, and campus settings. The Aruba CX 10000 may help customers expand a Zero Trust Network Architecture deeper into the DC, to the network-server edge, delivering 800G East-West Stateful Services across every switch port, augmenting the secure scaling of critical applications and workloads. I believe Aruba needs to further demonstrate the DC fabric credentials of Aruba ESP and Aruba Fabric Composer, especially in providing unified network/security configuration, as well as unified fabric administration across DSS, SmartNIC, and legacy implementations that enable organizations to automate and simplify the mixing and matching of security capabilities including end point provisioning of VLANs.
Also of concern is the HPE Aruba CX 10000 list pricing that starts at $45,000 USD and is slated to include accelerated Stateful Firewall, Zero Trust Segmentation, ERSPAN, Telemetry and DDoS protection. Many organizations must support compliance mandates to encrypt all access to public cloud resources. I see the relatively steep cost of encrypting access to the public cloud using traditional appliances as a potential barrier.
The CX 10000 can provide routing, with firewall, as well as planned support of line-rate encryption and NAT for public cloud dedicated private peering connections to AWS, Azure, Oracle, IBM Cloud or GCP from either on-prem or colocation DCs. This solution could substantially lower the total cost of ownership to warrant the product’s initial $45K list pricing (above the typical list pricing of similar DC switching equipment), although I anticipate that Aruba will need to proactively quantify and energetically tout the TCO benefits in order to shorten sales cycles, address the cost issue, and win more business.
Key Takeaways on HPE Aruba CX 10000 with Pendsando Launch
Overall, I expect that the new CX 10000 DSS proposition, enabled by Pensando software-in-silicon, can make the process of deploying distributed services, previously only available to hyperscalers like AWS, in the enterprise more cost-effective and streamlined. The new Aruba product can competitively threaten legacy security appliances and host software by enabling enterprises to take advantage of TCO, scaling, and performance benefits. Now HPE Aruba, in accord with Pensando, needs to further validate these potential benefits, especially TCO, to avoid potentially longer sales cycles as well as further crystallize advantages over SmartNIC/DPU alternatives and boosting Aruba ESP and Aruba Fabric Composer credentials to handle comprehensive fabric administration demands.
Disclosure: Futurum Research is a research and advisory firm that engages or has engaged in research, analysis, and advisory services with many technology companies, including those mentioned in this article. The author does not hold any equity positions with any company mentioned in this article.
Other insights from Futurum Research:
HPE GreenLake Lighthouse: Taking Distributed Cloud Strategy to the Next Level
HPE GreenLake Meets Growing Ecosystem Demand for Cloud Data Protection and Unified Analytics
Image Credit: Forbes
The original version of this article was first published on Futurum Research.
Ron is an experienced research expert and analyst, with over 20 years of experience in the digital and IT transformation markets. He is a recognized authority at tracking the evolution of and identifying the key disruptive trends within the service enablement ecosystem, including software and services, infrastructure, 5G/IoT, AI/analytics, security, cloud computing, revenue management, and regulatory issues.