An Interview with Pensando Systems: Protect the Unprotected with the Next Evolution of Switching Architecture

Datacenter

As a follow up to last month’s post “A Simple New Approach to Data Center Micro-segmentation” Vandis’ Ryan Young, CTO, sat down with Jason Gmitter, Senior Director of Solution Engineering at Pensando Systems, for a deeper conversation about the architecture of the Aruba/Pensando Switch.

Ryan: First off, congratulations on the AMD acquisition of Pensando.

Jason: Thanks, Ryan.  We’re really excited to become part of such an amazing story.  AMD’s growth over the last 7-8 years is truly remarkable and we look forward to accelerating that.

Ryan: When we last spoke, you introduced micro segmentation. Can you explain how this solution simplifies micro segmentation management?

Jason: Micro-segmentation is a technique which requires a practitioner to fully understand fine-grained communication between entities in order to build policy to protect them. Typically, this is not an easy task. Existing applications evolve and new applications are constantly being deployed - oftentimes with interdependencies on one another. By leveraging a unique vantage point in the data path for application-to-application communication, the Aruba CX 10000 series switch provides insights for operators that allow them to understand and build policy for applications with a network-wide purview.  In addition, it’s complementary to existing investments in telemetry and monitoring tooling, as the Aruba CX 10000 platform acts as an excellent source for telemetry and flow data.

Ryan: How is micro-segmentation integrated into the CX 10000 Switch?

Jason: The stateful segmentation capabilities are seamlessly integrated into the CX switching platform by leveraging an opportunistic redirect mechanism to the Pensando ASIC for any network traffic which requires segmentation. In this way, operators can initially deploy the CX 10000 as a traditional network device, then evolve to methodically add a more granular approach to their east-west data center security posture.

Ryan: How does this solution compare to VMware NSX and Cisco ACI?

Jason: Segmentation in the data center has been a challenge for as long as applications have been around. For example, implementing traditional VLANs is considered one of the first approaches to providing more isolation for applications. Over time, proprietary solutions have emerged to attempt to address the challenge. Software-only based approaches perhaps made it easier to implement segmentation but lacked in pervasive protection for non-virtualized or bare metal parts of the infrastructure. Proprietary network-based solutions had the advantage of hardware performance but were reliant on silicon which lacked in capabilities to offer true stateful segmentation. As a result, organizations have struggled to find the "sweet spot" where ease of implementation, performance, pervasiveness, and a standards-based approach can be realized. With the Aruba CX 10000, the solution leverages revolutionary best-in-class silicon coupled with a standards-based approach, allowing network and security architects to insert performant functionality without compromise.  By leveraging this functionality in a device already required in the network, architectural changes are not required, and all workloads - virtualized, bare metal, etc. - can be accommodated.  In addition, the Aruba CX 10000 software-in-silicon approach provides investment protection and further value realization as features evolve.

Ryan: You’ve talked about the importance of manageability.  Can you comment on what is unique about the Aruba CX 10000 Series Switch?

Jason: Really this is a testament to Aruba’s emergence in the Data Center and their inclusion of Aruba Fabric Composer (AFC) as a first-class option for managing the CX 10000. AFC gives the ability to build and manage complex network fabrics using Aruba’s Data Center switches already. In addition, it can discover and manage various aspects of the compute domain.  For example, with VMware vCenter, the network components can be discovered and managed alongside the physical network. Now, with the CX 10000 and its stateful capabilities, services such as the firewall and its associated policy can be managed through the same single pane of glass.  The coordination of those resources provides a robust way to logically manage security policy for virtual or physical systems and have it enforced at the top of rack – ideal when managed efficiently with AFC.

To learn more about how the Aruba CX 10000 series switch with Pensando Protects the Unprotected in the Datacenter, watch the Tech in 20 minutes demo.