A10 Thunder ADC delivers critical services in the most efficient hardware- and software-based form factors. Thunder ADC product line maximizes rack space and reduces power consumption (via optimal ADC CPU and memory optimization, infrastructure optimization and overall data center cooling).
The product line is built upon A10's Advanced Core Operating System (ACOS®) platform, with our Symmetric Scalable Multi-Core Processing (SSMP) software architecture that delivers high performance and a range of deployment options for dedicated, hosted or cloud data centers.
A10 Networks: Delivering Data Center to Data Center communications securely
1. SOLUTION BRIEF
1
Data Privacy Challenges
Organizations of all sizes rely on IPsec VPNs to prevent snooping and data theft and to
address compliance. IPsec provides a cost-effective and secure way to transfer data over
IP networks.
While IPsec is a mature and well understood technology, new networking paradigms like
cloud computing, as well as escalating bandwidth requirements, are compelling large
enterprises and service providers to rethink their VPN strategies. As a result, organizations
need to develop VPN architectures that can:
• Support unprecedented IPsec throughput levels
• Leverage BGP routing for high availability and rapid scaling
• Spin up new IPsec tunnels and gateways on-demand in cloud environments
• Minimize power consumption and rack space requirements for data center efficiency
Organizations need a solution they can trust to deliver reliable IPsec connectivity, and one
that can interoperate with their existing routers and IPsec VPN gateways.
High-Speed IPsec Encryption with A10
A10 Networks® Thunder® ADC line of Application Delivery Controllers includes IPsec
encryption capabilities that enable enterprises and service providers to build out large-scale
VPN deployments. By supporting up to 20,000 VPN tunnels per Thunder ADC platform and a
broad array of encryption algorithms and data integrity methods, organizations can deploy
Thunder ADC alongside their existing VPN equipment or build out new VPN networks with
Thunder ADC appliances.
Thunder ADC supports a comprehensive set of features in addition to IPsec VPN, including
advanced server load balancing, Network Address Translation (NAT), IPv4 and IPv6 routing,
and access control lists. By delivering a wide range of networking features, organizations can
support complex network designs and granularly control access to remote resources without
needing to deploy and manage numerous appliances. All of these features, in addition to
IPsec, are provided standard with Thunder ADC as part of A10’s all-inclusive licensing.
High Availability and Rapid Scaling
For many organizations, VPNs serve business critical functions such as data migration,
disaster recovery, remote user access, and connecting data centers to cloud networks.
Regardless of the use case, organizations depend on VPNs to run their business and these
VPNs must always be available.
THUNDER ADC IPSEC VPN
Encrypt Traffic on a Massive Scale and in the Cloud
Challenge:
To protect communications,
organizations need to encrypt data at
high speed and scale out VPN tunnel
capacity on-demand.
Solution:
A10 Networks empowers organizations
to reduce their data center footprint
and ensure data privacy with integrated,
high-performance IPsec VPN and load
balancing.
Benefits:
• Consolidate IPsec VPN, server load
balancing and stateful firewall
functionality
• Encrypt data at unparalleled speeds
• Reduce rack space and power
requirements
• Scale capacity by launching new VPN
gateways on-demand
2. 2
Thunder ADC supports an array of clustering, high availability and
dynamic routing features that maximize uptime, not just for IPsec VPN
routes but also to ensure connectivity to servers and applications. High
availability and scaling features include:
• Route monitoring and failover – Using A10’s enhanced
Virtual Router Redundancy Protocol implementation, VRRP-a,
Thunder ADC can monitor route and VPN gateway failures
and rapidly failover traffic to a passive Thunder ADC appliance.
Supporting up to eight appliances in a cluster, VRRP-a can detect
unresponsive services, servers and applications and identify
infrastructure failures. With A10 Virtual Chassis System (aVCS®),
multiple A10 devices can function as a single virtual chassis, with
a single point of control and centralized statistics.
• Intelligent routing to increase VPN capacity – Thunder ADC
supports Border Gateway Protocol (BGP) routing, which not only
allows BGP routers to communicate across IPsec VPN tunnels
but also enables organizations to boost IPsec capacity simply by
deploying more Thunder ADC appliances. Using BGP, Thunder
ADC deployments can scale to support terabit bandwidth
requirements without complicated network designs or forklift
hardware upgrades, and they can deploy more Thunder ADC
appliances to increase IPsec throughput. VRRP-a integrates with
BGP to inject routes and ensure smooth route failovers. Thunder
ADC also supports Bidirectional Forwarding Detection (BFD) for
fast path failure detection and route convergence.
• Bandwidth aggregation by load balancing traffic over
multiple paths – Thunder ADC leverages Equal-Cost Multipath
(ECMP) routing to increase total IPsec VPN bandwidth. ECMP,
combined with BGP, allows routers to support multiple network
routes simultaneously, allowing Thunder ADC to load balance
traffic across multiple paths to boost overall VPN capacity.
Cloud and On-demand Provisioning
Organizations are moving their infrastructure to the cloud to optimize
computing efficiency and lower capital and operating expenses.
As they migrate to the cloud, they need their VPN infrastructure to
migrate with them. However, cloud architectures introduce new
requirements that do not exist in physical data center networks.
To realize the benefits of cloud computing, cloud architectures
must support automation, agility and on-demand scaling. And,
organizations must ensure that their VPN services support this new
cloud networking paradigm. VPN services should integrate seamlessly
with application networking services, SDN technologies and other
data center infrastructure. Organizations should be able to provision
VPN instances with the same cloud orchestration systems they use to
manage their cloud applications.
Thunder ADC empowers organizations to implement high-capacity
VPN services in the cloud. Supporting an array of form factors,
including high-performance virtual appliances, physical appliances
and hybrid virtual appliances, A10 provides organizations the flexibility
to build a VPN architecture that meets the unique requirements of
cloud networks.
Thunder ADC integrates with software defined network (SDN) fabrics
using Virtual Extensible LAN (VXLAN) and Network Virtualization
using Generic Routing Encapsulation (NVGRE) to support automated
network configuration and service chaining support. Integration with
cloud orchestration platforms such as Microsoft System Center Virtual
Machine Manager (SCVMM) and OpenStack, enables centralized
provisioning of VPN services. Pay-as-you-go licensing with utility and
rental billing models allows organizations to align VPN licensing with
the licensing models of other cloud-based services. aCloud Services
Architecture enables cloud data center operators to deliver advanced
application delivery and IPsec VPN services while improving agility.
The high availability, scalability and security features supported in
physical networks, such as dynamic routing and redundancy, are also
supported in cloud environments. This means that organizations can
leverage BGP routing and VRRP-a to scale out their VPN networks and
to maximize uptime.
Internet
BGP Cloud
Thunder ADC 1 Thunder ADC 2
• IPsec VPN
• Access Control Lists
• BGP
• BFD
Data Center
Multi-Site VPN
Thunder ADC n
Thunder ADC
VPN Site 2
Thunder ADC
VPN Site 1
Thunder ADC
VPN Site 3
Encrypted VPN
Tunnel
• IPsec VPN
• Access Control Lists
• BGP
• BFD
Figure 1: Thunder ADC can connect to multiple VPN sites over a BGP cloud.
3. 3
High-Performance Architecture
Thunder ADC leverages unique software and hardware design
advantages to deliver exceptional IPsec performance. The A10
Networks Advanced Core Operating System (ACOS®) powers
Thunder ADC appliances. Built from the ground up to maximize
the performance of multicore CPU architectures, ACOS can linearly
scale compute processing as more CPU cores are added, providing
unparalleled performance in a compact form factor.
ACOS uses scalable symmetric multiprocessing (SSMP) to leverage
supercomputing techniques for parallel processing and to maximize
the performance of multicore architectures. Due to its highly scalable
64-bit operating system optimized for multicore architectures, Thunder
ADC hardware and A10 Networks vThunder® ADC line of virtual
appliances deliver unmatched IPsec VPN performance.
Select Thunder ADC hardware models include dedicated security
processors that accelerate IPsec encryption speed. Supporting up to four
quad-chip security processors on a rack-mountable appliance, Thunder
ADC provides fast IPsec encryption without forcing organizations to
deploy cumbersome and inefficient chassis-based systems.
• IPsec VPN
• BGP
• ECMP
• IPsec VPN
• BGP
• ECMP
Internet
Thunder ADC Thunder ADC
Router
Users Users
Firewall
Thunder ADC Thunder ADC Thunder ADC Thunder ADC
RouterFirewall
Figure 2: Users can forward traffic destined for the remote VPN site through the Thunder ADC appliance and
send all other traffic directly to the Internet.
IPsec VPN Specifications
Keying Methods
• IKEv1, IKEv2
Authentication Methods
• RSA Signature, Pre-shared Key, PKI
Key Exchange Diffie-Hellman Groups
• 1, 2, 5, 14, 15, 16, 18
Encryption Algorithms
• DES, 3DES, AES-128, AES-192, AES-256
Data Integrity
• DES, 3DES, AES-128, AES-192, AES-256
Maximum Number of IPsec Tunnels Supported
• 20,000i
RFCs Supported
• RFC 6071, 2407, 2408, 2409, 3526, 3706, 3947, 7296, 4307, IANA-
IKEv2, 4301, 4303, 4308, 3602, 3986, 4304, 4868 (partial), 2560,
5280, draft-nourse-scep
IPsec VPN Features
• NAT traversal
• Dead peer detection
• Perfect Forward Secrecy (PFS) supportii
• Life bytes and time rekey
• Extended Sequence Number (ESN)
• L3V partition aware
• Route-based VPN
• OSPF, BGP and Bidirectional Forwarding Detection (BFD) over
IPsec tunnel
• ECMP support
• Integration with server load balancing and Network Address
Translation (NAT
• UDP encapsulation
• TCP maximum segment size (MSS) clamping
• Public key infrastructure (PKI) support with Simple Certificate
Enrollment Protocol (SCEP), Online Certificate Status Protocol
(OCSP) and certificate revocation list (CRL) distribution points
• Prioritized Internet Key Exchange (IKE) packets for hardware-
accelerated Flexible Traffic Accelerator (FTA) appliance models
• Software and hardware-based encryption, with dedicated
security processors in select hardware models
Cloud Integration
• Integration with cloud orchestration systems such as Microsoft
SCVMM, OpenStack and VMware vCloud Director
• vThunder virtual appliance support
• On-demand provisioning of data-driven and command-driven
tunnels
High Availability
• Virtual Router Redundancy Protocol (VRRP-a)
• Security Association (SA) sync and session sync
• Active – Active topology support
• Sub-second failover with BFD and route health check
i
Actual maximum number of supported VPN tunnels may vary by appliance model.
ii
Available in ACOS 4.0.1