Watch on YouTube
Watch on Vimeo
Javed Asghar presented Cisco’s emerging strategy for securing AI inferencing workloads, expanding on architectural concepts originally disclosed at the NVIDIA GTC conference. While Cisco’s existing Smart Switches serve as an effective entry-level security option for frontend fabrics running lower-capacity systems, they face strict performance limitations when handling the massive 400 Gbps and 800 Gbps traffic demands of upper-generation platforms like NVIDIA Blackwell. To bridge this performance gap and eliminate network choke points, Cisco is moving enforcement directly into the server host layer through its hybrid mesh firewall architecture. This strategy deploys a self-contained Hypershield firewall instance onto an onboard NVIDIA Bluefield DPU SuperNIC, intercepting all input and output traffic directly at the host level without consuming any valuable CPU or GPU compute resources.
The strategy primarily targets NeoCloud environments, using hardware-carved partitions on the host DPU to provide true tenant and VPC isolation. Rather than relying on simple permitted firewalls or logical segregation, this model mirrors physical VRF structures to ensure that multiple tenants sharing GPU-as-a-service infrastructure are strictly isolated without the risk of cross-tenant route leaking. To achieve this cross-platform deployment, Cisco utilizes a common base feature layer that abstracts the underlying hardware, though Asghar noted that individual vendor optimizations necessitate unique P4 code customization. This hardware-specific tuning requires an extra 20% to 40% developmental overhead, introducing a slight one-to-three-month release gap between AMD-based switch features and NVIDIA-based server DPU features.
Beyond multi-tenant isolation and automated east-west stateful firewalling, the host-level DPU architecture is designed with a compliance-first approach to assist InfoSec and forensic teams. Security operators can baseline unmapped environments by running the DPU firewall in monitor mode, collecting comprehensive telemetry to generate accurate application dependency graphs before transitioning to strict enforcement. To support these continuous compliance workflows, the Bluefield DPU generates and streams unsampled, per-packet IPFix metadata directly to an enterprise collector. This capability provides operators with granular, process-to-network visibility across 800 Gbps pipelines, allowing them to verify data sovereignty and maintain strict architectural evidence for complex AI inferencing environments.
Personnel: Javed Asghar
Thank you for being part of the Tech Field Day community! Our mailing list is a great way to stay up to date on our events and technical content, and we appreciate your signup.
We promise that we’ll never spam you, send ads, or sell your information. This list will only be used to communicate with our community about our events and content. And we’ll limit it to no more than one message per week.
Although we only need your email address, it would be nice if you provided a little more information to help us get to know you better!
