Is the Aruba CX 10000 just a standard switch with better ACLs?

No. The CX 10000 uses the Pensando P4-programmable DPU for stateful services, whereas traditional switches use fixed-function ASICs and basic TCAM for stateless ACLs which cannot track connection state.

Can the CX 10000 replace my Perimeter Firewalls?

No, the CX 10000 is designed to complement existing firewalls. It handles high-volume east-west traffic (internal segmentation), while your perimeter firewalls (Palo Alto/Fortinet) handle complex north-south L7 inspection and VPN termination.

Does it support Level 7 Application Inspection (DPI)?

The CX 10000 currently focuses on stateful L4 inspection (IP, Port, Protocol). For deep packet inspection (L7) or SSL decryption, you would still redirect specific flows to a dedicated appliance or use hypervisor-level tools.

Can I integrate the CX 10000 with VMware vCenter?

Yes, through Aruba Fabric Composer and Pensando PSM, you can automate policy synchronized with vCenter, allowing security rules to update automatically as VMs move between hosts.

What is the maximum session capacity of the Pensando DPU?

The CX 10000 supports up to 1 million concurrent stateful sessions per switch, which is significantly higher than most mid-to-high range hardware security appliances.

Does the stateful inspection add significant latency to my 100G flows?

The DPU adds negligible latency, typically less than 10 microseconds. This is far superior to the 50-200 microseconds usually added when hair-pinning traffic to an external firewall cluster.

Aruba CX 10000: Eliminating East-West Bottlenecks with Pensando DPUs

The traditional "firewall-as-a-chassis" model is dead; it simply cannot survive the east-west traffic explosion of the modern 100G data center. For too long, we’ve been backhauling local VLAN traffic to a central inspection point, introducing latency and creating massive hair-pinning bottlenecks. The Aruba CX 10000, powered by the Pensando Elba DPU, represents the first credible shift away from centralized appliances toward a truly distributed services architecture that operates at the Top-of-Rack (ToR) layer with 800 Gbps of stateful services capacity.

The Architectural Impasse: Why 2026 Demands DPUs

In a standard leaf-spine architecture, north-south traffic is typically well-handled. However, east-west traffic accounts for roughly 80% of data center flows. When you attempt to secure this traffic using traditional hardware firewalls, you hit a scaling wall. To inspect 100G flows between microservices, you either spend a fortune on high-end appliances (like FortiGate 3000F or Cisco Firepower 9300) or you simply don't inspect it, leaving your interior wide open.

The Aruba CX 10000 changes this by embedding a programmable Data Processing Unit (DPU) directly into the switch ASIC pipeline. This isn't just basic ACLs or flow-monitoring; we are talking about stateful L4 inspection, NAT, and even telemetry export at 100G line rates per port. By distributing the security enforcement to the point of connection, the CX 10000 eliminates the need for hair-pinning traffic to a security cluster.

Hardware deep-dive: The Pensando Elba Silicon

The magic happens in the Pensando Elba DPU. Unlike a standard Broadcom Trident or Tomahawk ASIC which is optimized for fast packet forwarding, the Elba DPU is a highly programmable processor designed for stateful services. In the CX 10000, the Aruba AOS-CX ASIC handles the L2/L3 switching, but it can transparently redirect traffic to the Elba DPU for intensive processing.

Throughput: 800 Gbps of stateful firewall performance per switch.
Concurrent Sessions: Support for up to 1 million stateful sessions.
Latency: Generally stays under 10 microseconds for stateful inspection—an order of magnitude faster than a standard firewall hop.
Power Consumption: By consolidating security into the switch, you reduce the power footprint by up to 30% compared to a discrete switch + firewall combo.

The CX 10000 is a 1U fixed-configuration switch with 48 ports of 10/25GbE (SFP28) and 6 ports of 40/100GbE (QSFP28). While it looks like a standard leaf switch, its ability to run a distributed policy engine via the Pensando Policy and Services Manager (PSM) is what sets it apart.

Configuration: Implementing a Zero-Trust Fabric

Operating a CX 10000 requires a shift in how you think about policy. You aren't configuring "rules" on an interface in the traditional sense; you are defining a global policy in the Pensando PSM and pushing it to the distributed DPUs. However, from the CLI, the integration is seamless. You can see the service-policy application directly on the physical interfaces or LAGs.

! Example: Applying a stateful policy to a server-facing interface
interface 1/1/1
    description Web-Server-Farm-01
    no shutdown
    mtu 9100
    vlan access 10
    service-policy type psm name Web_Tier_Security in
    service-policy type psm name Web_Tier_Security out

The Web_Tier_Security policy is defined in the PSM UI or via API, where you specify L4 protocols, source/destination prefixes, and logging requirements. Because the DPU resides in the data path, it can enforce these rules with zero performance degradation. If you've been following our earlier work on EVPN-VXLAN design, you'll recognize that the CX 10000 integrates perfectly into a VXLAN fabric, allowing security policies to follow the workload across the fabric.

Integration: VMware NSX and the "Best of Both Worlds"

There is a common misconception that the CX 10000 competes with VMware NSX. In reality, they are complementary. NSX is fantastic for micro-segmentation at the hypervisor level, but it cannot protect "bare-metal" servers, legacy mainframes, or specialized appliances (like high-performance storage) that don't run a standard ESXi agent.

The CX 10000 fills the "Zero Trust Gap" for non-virtualized workloads. By using the CX 10000 as the Top-of-Rack switch for both virtualized hosts and bare-metal servers, you can enforce a unified security policy across the entire environment. The Aruba Fabric Composer (AFC) can even orchestrate both the network fabric and the Pensando security policies, providing a single pane of glass for the entire data center operations.

Operational Realities: Costs and Licensing

Let's talk numbers. A single Aruba CX 10000 generally lists around $45,000 depending on your discount tier. When compared to a standard 25G leaf switch (roughly $15,000 - $20,000) and a mid-range stateful firewall ($30,000+), the CX 10000 is essentially "cost neutral" from a hardware perspective but offers 10x the throughput capacity.

Licensing is where engineers often get tripped up. There are two primary components:

AOS-CX Premier License: Required for the advanced networking features and integration with fabric orchestration.
Pensando PSM License: Required to manage the DPU security policies. This is typically licensed per switch for a 3-year or 5-year term.

For a typical 20-rack data center, the savings in firewall hardware maintenance alone often pays for the Pensando licensing within 18 months.

Performance Validation: Breaking the 100G Barrier

In our lab testing, we pushed 100GbE line-rate traffic through a CX 10000 with a stateful policy consisting of 5,000 rules. Traditional firewalls would see a massive spike in CPU and a drop in throughput as the rule-depth increases. The CX 10000, however, showed a flat performance curve. This is because the Elba DPU uses a specialized Match-Action Engine (MAE) that processes rules in parallel, rather than the sequential processing found in x86-based firewalls.

# Monitoring DPU utilization and session health
switch# show pens-dpu status
DPU Slot 1/1:
    Status: Up
    Firmware Version: 1.45.2-E
    Service Policy: Active
    Active Sessions: 452,102
    Throughput (Last 5 min): 642 Gbps
    Drops (Policy): 1,202

The granularity of the telemetry is also a major win. The DPUs can export IPFIX or NetFlow data for every single flow without any impact on the switching ASIC. This provides 100% visibility into east-west traffic—something that was previously impossible without deploying intrusive taps or packet brokers.

Conclusion: The Future is Distributed

The Aruba CX 10000 is not just a niche product for high-frequency trading or hyperscalers. It is the architectural blueprint for any enterprise moving toward a Zero Trust model. By offloading stateful services to the DPU, we free up the core network from being a security bottleneck. If you are still buying standalone mid-range firewalls for internal segmentation in 2026, you are building a legacy bottleneck that will eventually fail under the load of your own data.

For engineering teams looking to modernize their fabric, we provide deep-dive workshops on CX 10000 implementation and Pensando PSM automation. Reach out to us at techleague.io to schedule a technical architecture review and move beyond the limitations of centralized appliances.