DPU Overview
Bridge integrates with NVIDIA BlueField-3 (BF3) Data Processing Units (DPUs) to offload control plane functions from the host CPU to dedicated hardware. This enables zero-trust security, host-based networking (HBN), distributed gateway enforcement, and tenant isolation without relying on the server's main board for control plane security.
Role of the DPU in Bridge
In a standard server, the host CPU handles both application workloads and outward-facing control functions such as networking, security, and access control. With BF3, Bridge offloads these control functions to the DPU card, allowing the host CPU and GPU to run only tenant workloads.
| Function | Without DPU | With BF3 DPU |
|---|---|---|
| Networking | Host CPU | Offloaded to DPU (HBN) |
| Tenant isolation | Switch-level only | Switch + DPU (dual enforcement) |
| Security | Software-based on host | Hardware root of trust on DPU |
| Gateway | External appliance only | Distributed per-DPU (BIG-IP Next) |
| Provisioning | MaaS/BCM via OOB | DPU-controlled over OOB |
BF3 Operating Modes
Bridge supports two BF3 operating modes depending on the deployment use case:
| Mode | Description | Use Case |
|---|---|---|
| DPU mode (Zero Trust) | BF3 acts as an independent control plane; the host is provisioned and managed through the DPU | Bare metal and VM isolation, HBN, distributed gateway |
| NIC mode (SuperNIC) | BF3 functions as a high-performance SmartNIC managed via the DOCA Management Service (DMS) | Spectrum-X networking, RoCE, adaptive routing |
Day 0 Provisioning Sequence
Bridge provisions BF3-equipped servers in the following order:
- Host provisioning — Bridge provisions the host OS via MaaS or BCM over the OOB network.
- DPU provisioning — The Bridge DPU provisioning controller downloads and flashes the BFB (BlueField Boot) image and provisions the DPU over rshim.
- DOCA service setup — The Bridge DOCA service controller configures DOCA services on the DPU over the OOB network.
- DPF registration — The DPU is added as a worker node to the DPU Fabric (DPF) control plane hosted on Bridge.
- HBN and switch fabric configuration — Bridge orchestrates Host-Based Networking to the DPUs and configures isolated L3 networks on the inband switch fabric.
- Tenant access — Tenant access is enabled via the gateway over the isolated L3 networks.
Day N Operations
Once provisioned, Bridge uses DPUs for ongoing operations:
- Host-based networking (HBN) — Tenant VRFs, VXLANs, and VF-to-representor mappings are enforced at the DPU level, enabling SDN for virtualization and Kubernetes.
- Distributed gateway — F5 BIG-IP Next runs on each DPU, providing per-tenant NAT, load balancing, and WAF without requiring a centralized appliance.
- Distributed firewall — Security group policies are enforced locally on each DPU.
Related Pages
- BlueField-3 (BF3) — DPU mode provisioning, Zero Trust DPF, and DOCA HBN controller
- SuperNIC — NIC mode configuration for Spectrum-X
- DOCA Catalog — DOCA services managed by Bridge