More Related Content Similar to A10 Capabilities Overview(2015-05-29) (20) A10 Capabilities Overview(2015-05-29)1. ©A10 Networks, Inc.
A10 Networks Overview
May, 2015
Accelerating and Securing Data Center
Applications & Networks
02242015
David Ayoub
RSM-Intel/ NAVY/ CYBER/ FSI
Dayoub@a10networks.com
703.623.0892
2. 2©A10 Networks, Inc.
A10 Corporate Introduction
Headquarters in San Jose
700+ Employees
Offices in 27 countries
Customers in 65 countries
$55M
$92M
$120M
$142M
$180M
2010 2011 2012 2013 2014
1,000+
2,000+
2900
3900+
Q4' 11 Q4' 12 Q4' 13 Now
CUSTOMER GROWTH
COMPANY GROWTH
3. 3©A10 Networks, Inc.
3900+ Customers in 65 Countries
Web GiantsEnterprisesService Providers
3 of Top 4
U.S. WIRELESS CARRIERS
7 of Top 10
U.S. CABLE PROVIDERS
Top 3
WIRELESS CARRIERS IN JAPAN
6. 6©A10 Networks, Inc.
Best-in-class application networking performance scalability
Software-based platform with platform APIs for Cloud integration
Flexible form factors & packaging
Predictable Capex / Opex with all-inclusive licensing and support pricing
Highly efficient design for data center OPEX
Gold standard for quality & reliability
Why A10?
8. 8©A10 Networks, Inc.
ACOS Platform: High Performance Application Networking
Shared Memory Architecture
1 2 3 N
Flexible Traffic Accelerator
Switching and Routing
Efficient &
Accurate Memory
Architecture
64-Bit Multi-Core
Optimized
Optimized
Flow Distribution
Application
Acceleration
Application
Security
Application
Availability
9. 9©A10 Networks, Inc.
Can modestly scale up parallel processing efficiency
Can eliminate requirement for some memory sharing
Flaw: memory elements must still be replicated impacting performance
– Configurations: system, interface,
VIP, rates, rules, et al
– Caching: inherently cross-flow,
cross-core function
– Learning: security policies inherently
shared (black lists, cookies…)
Competitors’ Approach: Parallel Processing w/ Dedicated Memory
L4-7
CPU 1
L4-7
CPU 2
L4-7
CPU 3
L4-7
CPU 4
L4-7
CPU 5
Communication Bus
10. 10©A10 Networks, Inc.
Scales up parallel processing linearly
Zero Memory Duplication
Zero IPC
Zero Locking
Zero Scheduling
Zero Interrupts
A10 ACOS Approach: Parallel Processing with Shared Memory
L4-7
CPU 1
L4-7
CPU 2
L4-7
CPU 3
L4-7
CPU 4
L4-7
CPU 5
High-speed
Shared Memory
11. 11©A10 Networks, Inc.
Benefits of ACOS Shared Memory
ACOS Shared MemoryConventional IPC Architecture
L4-7
CPU 1
L4-7
CPU 2
L4-7
CPU 3
L4-7
CPU 4
L4-7
CPU 5
High-speed
Shared Memory
L4-7
CPU 1
L4-7
CPU 2
L4-7
CPU 3
L4-7
CPU 4
L4-7
CPU 5
Communication Bus
12. 12©A10 Networks, Inc.
Linear Scaling – Shared Memory Architecture
Resourceefficiency
# of CPU Cores
Conventional
IPC memory
architecture
Parallel processing
with dedicated
memory
Benefits:
Cost
Power
Heat
Size
A10 ACOS
shared memory
architecture
13. 13©A10 Networks, Inc.
ADC
aGalaxy
ACOS: Platform for Application Service Gateway Portfolio
Policy Mgmt
Software
Product
Lines
Platform OS
& Services
Form Factors
CGN TPS
aXAPI
ACOS – Advanced Core Operating System
Security DDoS | SSL | WAF | AAM | DAF
Optimization
& Acceleration
IPv6 | SLB | SSL | GSLB | TCP Opt | NAT
ThunderTM &
AX Series
Appliances
Virtual Chassis
(aVCS )
vThunder
Perpetual
License
Dedicated Data Centers
Thunder HVA
AppliancesApplication Delivery
Partitions (ADPs)
Multi-Tenant Data Centers
Dedicated
Network
aFleX aCloud Services Architecture
(SDN & Cloud Integration)
aCloud™
IT Delivery
Models
Managed
Hosting
Cloud IaaS
vThunder
Pay-as-you-Go
License
14. 14©A10 Networks, Inc.
Thunder ASG Products & Example Deployment Use Cases
SLB, Cache,
SSL Offload, WAF
Data Center Demilitarized Zone (DMZ)
ADC
FWLB & SSL
Intercept
CGNAT,
NAT44,
NAT64,
DS-Lite
Pay-as-you-Go
Licensing Model
Carrier Network
Managed Hosting
Provider & IaaS
DDoS Detection &
Mitigation
CGN
TPS
aCloud
ADC
15. 15©A10 Networks, Inc.
Objective Data Comparison – FIPS 140-2
Source: Company Public Data Sheets
* Additional SSL performance available
Note: based upon F5 lowest priced “Good” license package with LTM only (NO Better/Best)
Platform:
Thunder
1030S-FIPS
BIG-IP
5250V-FIPS
BIG-IP
7200V-FIPS
Thunder
3030S-FIPS
Thunder
4430(S)-FIPS*
BIG-IP
10200V-SSL
Thunder
5430-FIPS*
Thunder
6430S-FIPS
Performance
L4 Connections Per Second 450,000 700,000 775,000 750,000 2,700,000 1,000,000 3,700,000 5,300,000
HTTP Requests Per Second 2,000,000 7,000,000 7,000,000 3,000,000 11,000,000 14,000,000 20,000,000 31,000,000
L7 Throughput (Gbps) 10 15 20 30 38 40 78 145
L7 Requests Per Sec (Inf-Inf) 480,000 1,500,000 1,600,000 800,000 1,590,000 2,000,000 2,100,000 3,300,000
Max. SSL TPS 2K Keys* 7,000 5,000 9,000 14,000 68,000 9,000 68,000 130,000
Price Performance
SLB/LTM $23,095 $76,995 $94,995 $32,995 $113,295 $119,995 $145,195 $296,995
$ / L4 CPS $0.05 $0.09 $0.09 $0.04 $0.03 $0.09 $0.03 $0.05
$ / SSL TPS 2K Keys $3.00 $3.05 $2.80 $2.14 $1.29 $2.26 $1.72 $2.08
Resources
CPU Type
Intel Xeon
Quad Core
Intel Xeon
Quad Core
Intel Xeon
Quad Core
Intel Xeon
Quad Core
Intel Xeon
Hexa Core
Intel Xeon
Hexa Core
Intel Xeon
Deca Core
Intel Xeon 2x
Octo Core
Memory 8 GB 32 GB 32 GB 16 GB 32 GB 48 GB 64 GB 128 GB
16. 16©A10 Networks, Inc.
ACOS: SW Agility Supports Rapid Product Line Extensions
ADC
SLB NAT
SSL
OFFLOAD
DDoS DNS FW WAF
SSL
INTERCEPT
AAMNAT DDoS
CGN
CGNAT IPv6
IP PROXY
GATEWAY
TPS
VOLUMETRIC
ATTACK
MITIGATION
RESOURCE
ATTACK
MITIGATION
PROTOCOL
ATTACK
MITIGATION
Future Products in Development
ACOS
17. 17©A10 Networks, Inc.
ACOS designed for reliability
– No HDD – SSD only
– No CPU fans – hot-swap fans only
– No moving parts on motherboard
Reliability Data
– A10 DOA & RMA rate: < 2.0% (2013 rate)
– Industry standard DOA & RMA rate: ~4.0% (IT infrastructure]
Gold Standard for Reliability & Quality
19. 19©A10 Networks, Inc.
ADC Solution
PriceConnections
(L4 CPS)
Throughput
(Gbps)
750,000
150,000
CASE STUDY: BOX
NEED
Scalable ADC infrastructure to
provide high performance to
growing user base
Solve low reliability and outages
from incumbent
SOLUTION
Greater than 4x connections / sec.
and 3x of throughput
Greater than 2x price-performance
with increased reliability
Reduced network downtime
Leading, fast-growing “prosumer”
cloud service
A10 Thunder 3030S ADC F5 ADC BIG-IP 4000S
$64K*
3x
5x
$30K Base
30
10
½
* F5 “Better” License
20. 21©A10 Networks, Inc.
CGN Solution
Throughput
(Gbps)
Simultaneous Sessions
(# Flows)
Capacity
(# Subscribers)
512,000
136,000
256M
68M
115
76
A10 CGN
1 RU Space
Juniper MX480 3D
MS-DPC (4)
8 RU Space
~4x ~4x 1.5x
CASE STUDY
National provider of wireless voice,
messaging and data services
NEED
Deliver reliable service to millions
of subscribers
Avoid costly & disruptive IPv6
replacement
SOLUTION
Scalable translation solution that
extends life of IPv4
Roughly 3x overall performance at
roughly ¼ $$$ price vs. incumbent
edge-router vendor
22. 26©A10 Networks, Inc.
Thunder ADC Solutions to Enhance Your Business
Availability
Scale Web and key
infrastructure
Reduce downtime
Ensure business
continuity
Acceleration
Provide fast and
responsive services
Competitive
advantage
Drive down CAPEX
and OPEX
Security
Protect against
advanced and
emerging attacks
Protect brand and
guard against
revenue loss
Meet required
compliance
standards
23. 27©A10 Networks, Inc.
Application availability
– To maintain uptime
– SLB, GSLB, high-availability (HA), Health-
checks, more…
Application acceleration
– For equipment consolidation and faster
user experience
– Caching, compression, network
optimization, more…
Application security services
– For brand and asset protection while
enhancing your existing security
– FWLB, WAF, SSL services, more…
Enterprise Data Center
Acceleration:
SSL Offload
TCP Reuse
RAM Caching
Compression
A10 ADC
Web App DNS Other App
Security:
DDoS Mitigation
WAF
DAF
AAM
Availability:
GSLB
High-availability
Health-checks
Backup Data Center
24. 28©A10 Networks, Inc.
Scaling security devices and
encrypted communications
– SSL Intercept: Eliminate encryption
blind spot and scale security
appliances
– FWLB and SSL offload, more…
Defend against emerging
DDoS attacks
– Network and application protection
Selectively apply dynamic
security chains
– Traffic steering and advanced ADC
services
DMZ Security Solutions
Firewall Load Balancing
DDoS Mitigation
WAF
DAF
AAM
Traffic Steering
aFleX Scripting
SSL Offload
A10 ADC
Data Center
Firewalls
IDS/IPS
DLP
Other
Firewall Load Balancing
SSL Intercept
A10 ADC
Internal Users
26. 31©A10 Networks, Inc.
Values:
– Requires valid user authentication for
resource access
– Enhanced protection and server efficiency
– Authentication offload
Advantages:
– Supports popular authentication services/stores
– No adjustment to Web servers or infrastructure
– Seamless integration
– No license required
Application Access Management (AAM)
Access Request
Authentication
Challenge
Authentication
Request
Access
Granted
AA
M
Authentication
Success
27. 32©A10 Networks, Inc.
Authentication Methods
– Basic HTTP
– Form Based
Web page generated from Thunder ADC
(not Web servers)
– Certificate authentication with OCSP
responder support
Authentication Server Support
– LDAP
Including password change
– RADIUS
– OCSP
Authentication Relay
– Basic HTTP
– Kerberos Authentication
Single Sign-On
Kerberos Constrained Delegation (KCD)
Kerberos Protocol Transition (KPT)
Health Monitoring
– LDAP
– RADIUS
– Kerberos
Load Balancing
– LDAP
– RADIUS
– OCSP
AAM Features
28. 33©A10 Networks, Inc.
Example AAM Configuration
– Logon (HTTP Basic Login)
– Authentication (LDAP Authentication)
– Authentication Relay (HTTP Basic)
AAM Transaction Overview
SharePoint ServersClients
Active Directory
30. 35©A10 Networks, Inc.
SSL Intercept feature transparently intercepts
traffic, decrypts it and forwards it through a
firewall for deep packet inspection and then
securely forwarding on to its destination
2048-bit keys are now the standard
– CPU utilization rises exponentially with encryption
strength increase
Thunder ADCs are the right choice
– Dedicated security processors for hardware SSL
– Firewalls can’t always do SSL Intercept with scale
– Freedom to choose best-of-breed traffic
inspection/mitigation
SSL Intercept Overview
Other
DLP
UTM
IDS
Server
A10 ADC
A10 ADC
encrypted
decrypted
encrypted
Inspection/
Protection
Client
1
6
2
5
3
4
31. 36©A10 Networks, Inc.
Transparently intercept SSL traffic, decrypt
it, and send it through the firewall
There are three distinct stages of traffic
handling, as depicted in the diagram
1. Traffic is encrypted in passing from the client
to the inside Thunder ADC
2. Traffic passes from the inside Thunder ADC to
the outside Thunder ADC, and then through
the firewall. Traffic is in plain text during this
segment
3. Traffic from the outside Thunder ADC is sent
to the remote server, where it is encrypted
once again
SSL Intercept Function
SSL Encrypted
Connection
Unencrypted
Traffic Flow
SSL Encrypted
Connection
32. 37©A10 Networks, Inc.
Malware Detection
Security Forensics
User connects to site using SSL
ACOS terminates client/server SSL
connection on internal/external
forward proxy ACOS ADCs
ACOS creates an unencrypted zone
Unencrypted traffic passes to
security devices, which can now
inspect the traffic and mitigate per
corporate policy
Thunder ADC SSL Intercept Solution
www.example.com
SSL Connection to
www.example.com
Un-encrypted
ZONE
encrypted
decrypted
encrypted
33. 38©A10 Networks, Inc.
Problem: Provide high performance security for
– Stateful Firewall
– URL Filtering
– IDS/IPS
– SSL decryption and inspection
Enabling all these features degrades security
performance significantly
– Solution: ACOS Series SSL Intercept with
Security Processors
– Net Effect: Security platforms have more
processing resource available for policy
inspection due to ACOS SSL Intercept
High Performance Security with SSL Intercept
www.example.com
SSL Connection to
www.example.com
Firewall
IPS/IDS
encrypted
encrypted
Decryption,
inspection &
encrypted
decrypted
decrypted
36. 41©A10 Networks, Inc.
Application Delivery Partitions (ADP) provide isolation of configuration
components and administration
– Role-based Administration partitions (up to 255 RBA partitions)
Isolate Layer 4 - 7
Share resources (app, network, and system) with the rest of the system equally
– Layer 3 Virtualization partitions (up to 1023 L3V partitions)
Isolate Layer 3 - 7
Allow customized resource allocation through system-resource-usage templates
A1-Active-vMaster[1/1](config)#system resource-usage template L3V_1
A1-Active-vMaster[1/1](config-resource template)#?
app-resources Enter the application resource limits
network-resources Enter the network resource limits
system-resources Enter the system resource limits
Note: An additional RBA and L3V partition exists if you count the shared partition allocation
ADP Overview and Benefits
37. 42©A10 Networks, Inc.
Sharing Resources in RBA Partitions
In layers 1-3 objects are public and must be unique. They can be shared, unless they
are a part of a private object defined in an RBA partition. Server _s1's IP address in this
example cannot be used by any other partition.
Private space: Layers 4-7
Shared space: Layers 1-3
RBA_Part1 RBA_Part2 RBA_Part3
Server _s1
• Port 80
• 10.0.0.10
VE interfaces, IP addresses, VLANs
Ethernet interfaces
Virtual
server
38. 44©A10 Networks, Inc.
Sharing Resources in L3V Partitions
Note: In L3V partitions IP addresses are private
L3V_Part1 L3V_Part2 L3V_Part3
Configured
interfaces
Configured
interfaces
Configured
interfaces
Server _s1
• Port 80
• 10.0.0.10
Server _s1
• Port 80
• 10.0.0.10
Server _s1
• Port 80
• 10.0.0.10
Virtual server Virtual server Virtual server
VLANs, Ethernet (physical) interfaces
Private space: Layers 3-7
Shared space: Layers 1-2
40. 48©A10 Networks, Inc.
aFleX is a powerful and flexible Thunder feature that you can use to manage your
traffic and provide enhanced benefits/services
– aFleX uses industry-standard TCL (Tools Command Language) based syntax
Standard TCL commands
Special set of extensions provided by the Thunder
– aFleX allows:
Content inspection (headers / data)
Actions on traffic
– Block traffic
– Redirect traffic to a specific Service Group (pool) or Server (node)
– Modify traffic content
aFleX Overview
41. 49©A10 Networks, Inc.
Place aFleX script on the Thunder
– Using CLI
Use a computer with any text editor to write an aFleX script and save it as a file
Use “import aflex” command to import the aFleX file from a server to Thunder
aFleX CLI syntax check: "aflex check <name>"
– Using Web GUI
With ACOS Web interface, users can directly type in aFleX scripts and save them on the Thunder under "Config
> Service > aFleX"
– Using aFleX Editor
aFleX editor can download/upload aFleX scripts from/to the Thunder. Moreover, it can do syntax checking. It
also has syntax highlighting, keyword auto-completion, etc.
aFleX Configuration
42. 50©A10 Networks, Inc.
1. Events: Triggered based on client/server packet and/or connection flow
2. Operators: A descriptive string representing a rational or logical operation to be
executed
3. Commands: Used on elements within the packet flow headers in order to gather
data or provide various aFleX functionality
4. Variables: Used to store information to memory to be recalled when needed
5. Conditionals: Control structure in programming that allows you to create a
logical flow within your code
aFleX Five Basic Elements
43. 51©A10 Networks, Inc.
Sample use cases for aFleX scripting
– Redirect end users to backup
data center when primary
data center is not reachable
– Transparent conversion of
HTTP requests to HTTPS
– Add a hostname to an
existing Web site
Both CLI and GUI options
for aFleX scripting
– CLI: aflex create <name>
– GUI: See screenshot
Creating an aFleX
47. 55©A10 Networks, Inc.
Thunder ADC Hardware Appliances
Price
Performance
Thunder 930 ADC
5 Gbps (L4&L7)
200k L4 CPS
1 M RPS (HTTP)
Thunder 1030S ADC
10 Gbps (L4&L7)
450k L4 CPS
2M RPS (HTTP)
SSL Processor
Thunder 3030S ADC
30 Gbps (L4&L7)
750k L4 CPS
3M RPS (HTTP)
SSL Processor
Thunder 4430(S) ADC
38 Gbps (L4&L7)
2.7M L4 CPS
11M RPS (HTTP)
Thunder 5430S ADC
77/75 Gbps (L4/L7)
2.8M L4 CPS
17M RPS (HTTP)
SSL Processor
Hardware FTA
Thunder 5430(S)-11 ADC
79/78 Gbps (L4/L7)
3.7M L4 CPS
20M RPS (HTTP)
SSL Processor
Hardware FTA
Thunder 5630 ADC
79/78 Gbps (L4/L7)
6M L4 CPS
32.5M RPS (HTTP)
SSL Processor
Hardware FTA
Thunder 6430(S) ADC
150/145 Gbps (L4/L7)
5.3M L4 CPS
31M RPS (HTTP)
SSL Processor
Hardware FTA
Thunder 6630 ADC
150/145 Gbps (L4/L7)
7.1M L4 CPS
38M RPS (HTTP)
SSL Processor
Hardware FTA
48. 56©A10 Networks, Inc.
vThunder Software Appliances
Lab Edition
Entry Level/Lab
200 Mbps
Entry Level/Lab
1 Gbps
High-performance
4 Gbps
High-performance
8 Gbps
vThunder (Perpetual Licensing)
200 Mbps to 8 Gbps
VMware, KVM, Hyper-V & Xen
hypervisors
Dynamic provisioning, faster roll out
Scale up or down on-demand
Price
Performance
49. 57©A10 Networks, Inc.
Why HVA?
– Hardware acceleration
– Deploy instances on demand
– Consolidation
– Strong hypervisor-based isolation
Advantage:
– Hardware performance, virtual flexibility
– OpenStack management
– SR-IOV support for network and SSL
acceleration
– No performance or feature licenses
Thunder Hybrid Virtual Appliance (HVA)
Price
Performance
Thunder 3030S HVA
8 instances,
35 Gbps
Thunder 3530S HVA
40 instances,
100 Gbps
50. 58©A10 Networks, Inc.
Achieve automation, operational agility, and reduced TCO
SDN integration
– Overlay & fabric integration
– VXLAN and NVGRE
– IBM SDN-VE, Cisco APIC, VMware NSX
Cloud orchestration integration
– Policy integration with Cloud orchestration platforms
– aGalaxy, Microsoft SCVMM,
vmware vCloud Director, OpenStack
Note: For more details about on SDN and Cloud Orchestration material,
refer to the aCloud presentation slide deck.
3rd-Party Integrations: SDN/Cloud Orchestration Integration
52. 67©A10 Networks, Inc.
Preserve Investments in existing infrastructure
– Compatibility with current network architecture
– Extend existing IPv4 network infrastructure
Transparent end user experience
– Ensure applications and services are maintained
– Business continuity in case of failure
Smooth transition to IPv6
– Need to support any/all migration technologies
Service Provider & Enterprise Challenges
53. 69©A10 Networks, Inc.
A10 CGN Value Proposition
Most complete
feature set:
Highest
performance:
Form Factor
Flexibility:
IPv4 extension
IPv6 migrations
Application Layer
Gateways
Run any/all features
on one unit
256 million sessions
150 Gbps
throughput
Cluster to 1 Tbps+
Purpose built
appliances
High availability
and security
Physical
Virtual
Hybrid
SDN/NFV ready
Small form factor
1-3U appliances
All inclusive license
Beats Chassis/modules alternatives hands down:
Superior comprehensive feature set, highest performance,
smallest form factor, lowest power and cooling, best ROI
54. 71©A10 Networks, Inc.
Common IPv6 Migration Techniques
Dual-Stack Encapsulation Translation
Native IPv4, IPv6 6rd, DS-Lite NAT64, NAT46
Why so many options?
Every network is different and no one implementation fits all
55. 72©A10 Networks, Inc.
Access Destination Migration
A10s IPv6 Migration Options
IPv6
IPv4
6rd
DS-Lite
Stateful
NAT64/DNS64
Stateless
NAT46
A10 offers
One box
solution!
Unique Service
Provider featureLw-4o6
IPv4
IPv6
IPv4
IPv6
IPv6
Internet
IPv4
Internet
IPv6
Internet
IPv4
Internet
56. 74©A10 Networks, Inc.
Thunder CGN Hardware AppliancesPrice
Performance
Thunder 5630(S) CGN
Thunder 6630(S) CGN
Thunder 3030S CGN
Thunder 5430S CGN
Thunder 6430 CGN
Thunder 5430(S)-11 CGN
Thunder 3530S HVA
Thunder 3030S HVA
Thunder 4430(S) CGN
All inclusive licensing
58. 77©A10 Networks, Inc.
Visit www.a10networks.com
– 30 days, 5 Mbps limit
– Full features
– For VMware, Hyper-V, KVM and Xen
vThunder Free Trial – Try Today