The HPE Aruba Networking CX 10000 offers everything you need in a Top of Rack (ToR) data center switch, including 3.6Tbps of line-rate throughput; 100G ports; a modern, modular network OS that supports scripting, APIs, automation, and telemetry; and other data center features. But the CX 10000 also includes something you won’t find in other switches: a built-in Data Processing Unit, or DPU.
Like a SmartNIC in a server that offloads network or security functions from the CPU, the DPU in the CX 10000 can run services on the switch without any impact on packet processing or packet forwarding. These services include a stateful firewall, NAT, IPFIX, and IPSec encryption, making it a uniquely powerful device.
This implies that the CX 10000 doesn’t just have to sit on the top of a rack. Creative engineers are finding ways to use this DPU-powered switch to support edge and hybrid/multi-cloud use cases that require traffic encryption and high performance. Why? Because the DPUs, manufactured by AMD Pensando, provide plenty of firepower: 800Gbps of stateful services per switch, backed by ARM cores for robust, power-efficient processing. It also supports cryptographic offloads designed for inline IPSec, and compression, decompression, and checksums.
We’ll look at two use cases for the CX 10000: one for edge connectivity, and one to support secure access between applications and data running on premises and in the public cloud. Besides providing new designoptions for network engineers, the CX 10000 can also lower total cost of ownership (TCO) by reducing the amount of specialty hardware required to support these use cases.
The encrypted edge
An HPE customer that provides global cloud hosting to business clients is using the CX 10000 as a Data Center Interconnect (DCI) to connect client sites coming in over the WAN to client pods hosted in the provider’s data center. The CX 10000 acts as a border leaf in this multitenant scenario, terminating IPSec tunnels and providing stateful inspection of traffic originating at the client sites.
The CX 10000 distributes traffic to the appropriate client pods. The switch is also deployed as the fabric leaf in each customer pod. This provides microsegmentation and NAT for clients that access shared services in the provider’s data center. All of this is managed by HPE Aruba Networking Fabric Composer and HPE Aruba Networking Central software to streamline operations.
Because the CX 10000 supports 400Gbps IPSec, NAT, and 800Gbps of stateful firewalling, the provider can collapse the infrastructure required for this service into a single device. For instance, they no longer need to deploy virtual firewall and VPN clusters for these client connections. Besides simplifying its infrastructure and operations, the hosting provider has also lowered its TCO by 60%.
Secure hybrid and multi-cloud options
Enterprises can expand their processing capacity by taking advantage of public clouds. For example, financial institutions can distribute workloads across multiple public clouds to run complex modeling and simulation jobs that require more compute resources than these companies have built out in their own data centers.
Because these workloads hold sensitive data, secure, high-performance connections are required for these hybrid and multi-cloud deployments to protect that data and meet compliance mandates. That requires end-to-end encryption such as IPSec.
Some enterprises that connect on-prem workloads to public cloud VPC or VNet instances will also invest in direct connect circuits from cloud providers for reliable performance. As part of this architecture, they deployfirewall/VPN appliances at colocation sites to link their premises data centers with VPC/VNet instances.
The HPE Aruba Networking CX 10000 can replace these appliances in a colocation facility while providing robust IPSec and stateful firewall performance—including 400G IPSec, 800G firewall, and NAT—at a fraction of the cost.
HPE conducted a hypothetical TCO analysis1 that compares the HPE Aruba Networking CX 10000 switch to a next-generation firewall/VPN hardware appliance. The comparison measured the cost to support 400G of IPSec VPN and stateful NAT to connect three remote locations with 1,000 tunnels per location. The configuration includes a pair of VPN/firewall appliances or a pair CX 10000 switches at each site for redundancy. It calculated hardware and software licensing plus three-year support contracts. It also incorporated a consistent discount off the list price for all devices. The results established that the HPE Aruba Networking CX 10000 provides dramatically lower total cost of ownership (~89%) vs. a design configured with a traditional next-generation firewall/VPN appliance(s).
New design options for secure edge and hybrid cloud
The HPE Aruba Networking CX 10000 gives network engineers and designers more options to connect and secure edge and hybrid/multi-cloud deployments. The switch combines high-performance networking with a powerful DPU that provides IPSec, NAT, stateful firewalling, and other capabilities. Organizations can replace costly security appliances, collapse hardware footprints in edge, data center, and colocation facilities, and maximize TCO without sacrificing on security or throughput.
To get more details on these use cases and TCO calculations, download this whitepaper and visit the HPE Aruba Networking distributed services switches page.
(1) TCO analysis based on hypothetical examples, using specific industry assumptions. Individual customer configurations will vary based on specific designs and configurations.
