Traditional networks were designed for data centers where the majority of traffic moved in a “north-south” direction. That is, it would come into the data center, travel through three or more tiers, pass through a core, and then “trombone” back out (meaning through a circuitous, latency-causing path). This made the placement of infrastructure, such as load balancers and security devices, relatively straightforward because they could all be deployed in the core.
Data centers are evolving to distributed architectures
As data centers evolved to disaggregated infrastructure, the volume of east-west traffic exploded, creating performance problems. This gave rise to spine-life architectures that used a much flatter network design. Today, the data center is in the midst of another transition – to a cloud architecture, where containers and microservices are driving the need to have security and layer 4 to 7 services everywhere. The current leaf/spine design would have firewalls, application delivery controllers, and other infrastructure centrally deployed, meaning every container that needs securing would have to traverse through a handful of leaf-and-spine switches – to the tools and back – creating an east-west “trombone” problem. One solution would be to deploy firewalls, NATs (network address translation), intrusion prevention systems, encryption tools, and other infrastructure at every network junction point, but this would be expensive and unmanageable. The Aruba-Pensando solution embeds those capabilities in the switch via the DPU. Vendors have tried to do this before in software and have the central CPU handle the processing, but network silicon from vendors such as Broadcom was designed for layer 2 to 3 network traffic and not security and application layer services. The Aruba switch is able to offload all the processing of those services to the DPU so network performance is not impacted.
Pensando DPU offloads heavy lifting from network switches
The Pensando DPU includes a wide range of services, including firewall, NAT, DDoS, encryption, load balancing, and telemetry. The concept of the DPU is easy to understand if one looks at different markets. For example, CPUs don’t process high levels of graphics well, so computer manufacturers use graphics processing units (GPUs). Similarly, network security vendor Fortinet provides its own security processing unit (SPU) to optimize the performance of its products. The Pensando DPU handles those CPU-crushing data center services. Aruba customers should see a significant performance jump in many data center services. For example, a standard traditional switch can handle about 8,000 ACLs before performance is impacted. An access-list (ACL) is a set of rules defined for controlling network traffic and reducing network attacks. ACLs are used to filter traffic based on the set of rules defined for the incoming or outgoing of the network. The Aruba CX 10000 can handle about 1 million of them. Similarly, traditional switches can be provisioned for about 10,000 IPSec tunnels, while the new Aruba box can process about 200,000. Aruba also can bring some new capabilities. Standard switches can’t be used as firewalls, but the Aruba product can provision about 1 million rules. One of the big benefits Aruba brings is manageability as network, and security engineers can administer the switches using Aruba’s widely deployed Fabric Composer. All network and security policies can be managed through the product. One of the more progressive attributes of Fabric Composer is that it’s designed for organizations in which the security and network teams have been brought together, but it also provides configuration options if the organization has split SecOps and NetOps groups.
Interoperability: Core attribute for Aruba
As is the case with all Aruba products, the CX 10000 was built with interoperability in mind so third-party ecosystem partners can access data in different ways. The box itself provides streaming real-time telemetry. Also, Fabric Composer has an exportable syslog that can be used. Other vendors will choose to integrate using the available APIs. At launch, the company announced a wide range of partners, including Fortinet, Palo Alto, Crowdstrike, Splunk, Netscout, Tufin, and Guardicore, to name a few. For Aruba, partnering with Pensando should bear significant dividends. While former Cisco Systems CEO John Chambers is an investor and chairman, the engineering team at the startup is about as good as there is. The company was founded by the highly successful “MPLS” quartet (Mario Mazzola, Prem Jain, Luca Cafiero, and Soni Jiandani), who built multiple billion-dollar products at Cisco, including its current ACI (Application Centric Infrastructure), which was done via the “spin-in” of Insieme. Historically, changes in compute have always driven network evolution. Compute is shifting from a centralized cloud model to a highly distributed design based on cloud-native technologies, necessitating network change. The new Aruba CX 10000 is ideally suited for modernized data centers in which performance is critical but can’t come at the expense of agility.