A10 Capabilities Overview (2015!05!29)

A10 Networks Overview
May, 2015
Accelerating and Securing Data Center

Applications & Networks
David Ayoub
RSM-Intel/ NAVY/ CYBER/ FSI
Dayoub@a10networks.com
703.623.0892
©A10 Networks, Inc. 02242015

A10 Corporate Introduction CUSTOMER GROWTH
3900+
2900
Headquarters in San Jose 2,000+
700+ Employees
Offices in 27 countries 1,000+
Customers in 65 countries
Q4' 11 Q4' 12 Q4' 13 Now
COMPANY GROWTH $180M
$142M
$120M
$92M
$55M
2010 2011 2012 2013 2014

3900+ Customers in 65 Countries
Service Providers Enterprises Web Giants
3 of Top 4
U.S. WIRELESS CARRIERS
7 of Top 10
U.S. CABLE PROVIDERS
Top 3
WIRELESS CARRIERS IN JAPAN

Federal Presence
Customers Tech Partnerships Certifications
Certs: 1659, 1963 Listed as IA Tool
EAL2+ Certified
DISA ATO

Why A10?
Why A10?
 Best-in-class application networking performance scalability

 Software-based platform with platform APIs for Cloud integration
 Flexible form factors & packaging
 Predictable Capex / Opex with all-inclusive licensing and support pricing
 Highly efficient design for data center OPEX
 Gold standard for quality & reliability

A10 ACOS Platform
ACOS Platform: High Performance Application Networking
Efficient &
Accurate Memory Shared Memory Architecture
Architecture
Application
Acceleration
64-Bit Multi-Core
Optimized 1 2 3 N
Application
Security
Application
Optimized Availability
Flow Distribution Flexible Traffic Accelerator
Switching and Routing

Competitors’ Approach: Parallel Processing w/ Dedicated Memory
 Can modestly scale up parallel processing efficiency

 Can eliminate requirement for some memory sharing
 Flaw: memory elements must still be replicated impacting performance
– Configurations: system, interface,
VIP, rates, rules, et al Communication Bus
– Caching: inherently cross-flow,

cross-core function
– Learning: security policies inherently
shared (black lists, cookies…)
L4-7 L4-7 L4-7 L4-7 L4-7
CPU 1 CPU 2 CPU 3 CPU 4 CPU 5

A10 ACOS Approach: Parallel Processing with Shared Memory
 Scales up parallel processing linearly

 Zero Memory Duplication
 Zero IPC
 Zero Locking
 Zero Scheduling High-speed
Shared Memory
 Zero Interrupts
L4-7 L4-7 L4-7 L4-7 L4-7

CPU 1 CPU 2 CPU 3 CPU 4 CPU 5

Benefits of ACOS Shared Memory
Conventional IPC Architecture ACOS Shared Memory
Communication Bus
High-speed
Shared Memory
L4-7 L4-7 L4-7 L4-7 L4-7 L4-7 L4-7 L4-7 L4-7 L4-7
CPU 1 CPU 2 CPU 3 CPU 4 CPU 5 CPU 1 CPU 2 CPU 3 CPU 4 CPU 5

Linear Scaling – Shared Memory Architecture
A10 ACOS
shared memory
architecture
Resource efficiency
Parallel processing
with dedicated
memory
Conventional
IPC memory
architecture
# of CPU Cores Benefits:

 Cost  Heat
 Power  Size

ACOS: Platform for Application Service Gateway Portfolio
Policy Mgmt aGalaxy aXAPI aFleX aCloud™ aCloud Services Architecture
(SDN & Cloud Integration)
Software ADC CGN TPS

Product
Lines
ACOS – Advanced Core Operating System
Platform OS
& Services Optimization
& Acceleration
IPv6 | SLB | SSL | GSLB | TCP Opt | NAT Security DDoS | SSL | WAF | AAM | DAF
Dedicated Data Centers Multi-Tenant Data Centers
Form Factors
ThunderTM & vThunder vThunder
Thunder HVA
AX Series Virtual Chassis Application Delivery Perpetual Pay-as-you-Go
Appliances
Appliances (aVCS ) Partitions (ADPs) License License
IT Delivery Dedicated Managed Cloud IaaS

Models Network Hosting

Thunder ASG Products & Example Deployment Use Cases
CGN
CGNAT,
NAT44, aCloud
TPS NAT64, Pay-as-you-Go
DDoS Detection &
DS-Lite Licensing Model
Mitigation
Managed Hosting
Provider & IaaS
Carrier Network
ADC
SLB, Cache,
SSL Offload, WAF
ADC
FWLB & SSL
Intercept
Data Center Demilitarized Zone (DMZ)

Objective Data Comparison – FIPS 140-2
Thunder BIG-IP BIG-IP Thunder Thunder BIG-IP Thunder Thunder
Platform: 1030S-FIPS 5250V-FIPS 7200V-FIPS 3030S-FIPS 4430(S)-FIPS* 10200V-SSL 5430-FIPS* 6430S-FIPS
Performance
L4 Connections Per Second 450,000 700,000 775,000 750,000 2,700,000 1,000,000 3,700,000 5,300,000
HTTP Requests Per Second 2,000,000 7,000,000 7,000,000 3,000,000 11,000,000 14,000,000 20,000,000 31,000,000
L7 Throughput (Gbps) 10 15 20 30 38 40 78 145
L7 Requests Per Sec (Inf-Inf) 480,000 1,500,000 1,600,000 800,000 1,590,000 2,000,000 2,100,000 3,300,000
Max. SSL TPS 2K Keys* 7,000 5,000 9,000 14,000 68,000 9,000 68,000 130,000
Price Performance
SLB/LTM $23,095 $76,995 $94,995 $32,995 $113,295 $119,995 $145,195 $296,995
$ / L4 CPS $0.05 $0.09 $0.09 $0.04 $0.03 $0.09 $0.03 $0.05
$ / SSL TPS 2K Keys $3.00 $3.05 $2.80 $2.14 $1.29 $2.26 $1.72 $2.08
Resources
Intel Xeon Intel Xeon Intel Xeon Intel Xeon Intel Xeon Intel Xeon Intel Xeon Intel Xeon 2x
CPU Type
Quad Core Quad Core Quad Core Quad Core Hexa Core Hexa Core Deca Core Octo Core
Memory 8 GB 32 GB 32 GB 16 GB 32 GB 48 GB 64 GB 128 GB
* Additional SSL performance available

Note: based upon F5 lowest priced “Good” license package with LTM only (NO Better/Best) Source: Company Public Data Sheets

ACOS: SW Agility Supports Rapid Product Line Extensions
Future Products in Development
TPS
VOLUMETRIC RESOURCE PROTOCOL

ATTACK ATTACK ATTACK
MITIGATION MITIGATION MITIGATION
CGN
IP PROXY
CGNAT IPv6
GATEWAY
ADC
SSL SSL
SLB NAT
NAT DDoS
DDoS DNS FW WAF AAM
OFFLOAD INTERCEPT
ACOS
Gold Standard for Reliability & Quality
 ACOS designed for reliability

– No HDD – SSD only
– No CPU fans – hot-swap fans only
– No moving parts on motherboard
 Reliability Data
– A10 DOA & RMA rate: < 2.0% (2013 rate)
– Industry standard DOA & RMA rate: ~4.0% (IT infrastructure]

Customer Case Studies
ADC Solution
750,000 $64K*
30
CASE STUDY: BOX
Leading, fast-growing “prosumer”
5x cloud service
3x $30K Base
NEED
 Scalable ADC infrastructure to
10 provide high performance to
150,000 ½ growing user base
 Solve low reliability and outages
from incumbent
Throughput Connections Price SOLUTION
(Gbps) (L4 CPS)  Greater than 4x connections / sec.
and 3x of throughput
 Greater than 2x price-performance
A10 Thunder 3030S ADC F5 ADC BIG-IP 4000S with increased reliability
 Reduced network downtime
* F5 “Better” License

CGN Solution
512,000 256M
115 CASE STUDY
~4x ~4x National provider of wireless voice,

1.5x messaging and data services
76
NEED
136,000 68M  Deliver reliable service to millions
of subscribers
 Avoid costly & disruptive IPv6
replacement
Capacity Simultaneous Sessions Throughput
(# Subscribers) (# Flows) (Gbps) SOLUTION
 Scalable translation solution that
extends life of IPv4
A10 CGN Juniper MX480 3D  Roughly 3x overall performance at
1 RU Space MS-DPC (4) roughly ¼ $$$ price vs. incumbent
8 RU Space edge-router vendor

Thunder Series ADC
Product Line Overview
Thunder ADC Solutions to Enhance Your Business
Availability Acceleration Security
 Scale Web and key  Provide fast and  Protect against

infrastructure responsive services advanced and
emerging attacks
 Reduce downtime  Competitive
 Ensure business advantage  Protect brand and
guard against
continuity  Drive down CAPEX
revenue loss
and OPEX
 Meet required
compliance
standards

Enterprise Data Center
 Application availability
– To maintain uptime Security:
DDoS Mitigation
– SLB, GSLB, high-availability (HA), Health- WAF
checks, more… DAF
AAM
 Application acceleration Backup Data Center
– For equipment consolidation and faster Acceleration:

user experience SSL Offload
Availability: TCP Reuse
GSLB A10 ADC
– Caching, compression, network RAM Caching
High-availability Compression
optimization, more… Health-checks
 Application security services
– For brand and asset protection while
enhancing your existing security
– FWLB, WAF, SSL services, more… Web App DNS Other App

DMZ Security Solutions
Firewall Load Balancing
 Scaling security devices and DDoS Mitigation
encrypted communications WAF
DAF
– SSL Intercept: Eliminate encryption AAM
Traffic Steering
blind spot and scale security A10 ADC
aFleX Scripting
appliances SSL Offload
– FWLB and SSL offload, more…

Firewalls
 Defend against emerging IDS/IPS
DLP
DDoS attacks Other
– Network and application protection

A10 ADC Firewall Load Balancing
 Selectively apply dynamic SSL Intercept
security chains
– Traffic steering and advanced ADC
services
Data Center Internal Users

Application Access
Management
Application Access Management (AAM)
 Values: Authentication
Access
– Requires valid user authentication for Challenge
Success
Request
Access Request
resource access Granted
– Enhanced protection and server efficiency
– Authentication offload AA
 Advantages: M
– Supports popular authentication services/stores

– No adjustment to Web servers or infrastructure
– Seamless integration
– No license required

AAM Features
 Authentication Methods  Authentication Relay

– Basic HTTP – Basic HTTP
– Form Based – Kerberos Authentication
 Web page generated from Thunder ADC  Single Sign-On
(not Web servers)  Kerberos Constrained Delegation (KCD)
– Certificate authentication with OCSP  Kerberos Protocol Transition (KPT)
responder support  Health Monitoring
 Authentication Server Support – LDAP
– LDAP – RADIUS
 Including password change
– Kerberos
– RADIUS
 Load Balancing
– OCSP
– LDAP
– RADIUS
– OCSP
AAM Transaction Overview
 Example AAM Configuration

– Logon (HTTP Basic Login)
– Authentication (LDAP Authentication)
– Authentication Relay (HTTP Basic)
Clients SharePoint Servers
Active Directory

SSL Intercept
SSL Intercept Overview
Server
 SSL Intercept feature transparently intercepts
4
encrypted traffic, decrypts it and forwards it through a
firewall for deep packet inspection and then
securely forwarding on to its destination
3
 2048-bit keys are now the standard

A10 ADC – CPU utilization rises exponentially with encryption
5 decrypted strength increase
DLP
Inspection/
Protection IDS
UTM
 Thunder ADCs are the right choice
Other
2 – Dedicated security processors for hardware SSL
– Firewalls can’t always do SSL Intercept with scale
A10 ADC
6
– Freedom to choose best-of-breed traffic
encrypted
1
inspection/mitigation
Client
SSL Intercept Function
 Transparently intercept SSL traffic, decrypt

it, and send it through the firewall
SSL Encrypted
Connection  There are three distinct stages of traffic
handling, as depicted in the diagram
1. Traffic is encrypted in passing from the client
to the inside Thunder ADC
Unencrypted 2. Traffic passes from the inside Thunder ADC to
Traffic Flow the outside Thunder ADC, and then through
the firewall. Traffic is in plain text during this
segment
3. Traffic from the outside Thunder ADC is sent
SSL Encrypted to the remote server, where it is encrypted
Connection once again

Thunder ADC SSL Intercept Solution
 User connects to site using SSL

 ACOS terminates client/server SSL www.example.com
connection on internal/external
forward proxy ACOS ADCs encrypted
 ACOS creates an unencrypted zone

 Unencrypted traffic passes to
security devices, which can now
inspect the traffic and mitigate per
Un-encrypted
ZONE
corporate policy Malware Detection

decrypted
Security Forensics
SSL Connection to
encrypted
www.example.com

High Performance Security with SSL Intercept
 Problem: Provide high performance security for

– Stateful Firewall www.example.com
– URL Filtering encrypted
– IDS/IPS
– SSL decryption and inspection
decrypted
 Enabling all these features degrades security
Decryption,
performance significantly inspection &
Firewall
IPS/IDS
encrypted
– Solution: ACOS Series SSL Intercept with
Security Processors decrypted
– Net Effect: Security platforms have more

processing resource available for policy SSL Connection to
www.example.com
inspection due to ACOS SSL Intercept encrypted

Application Delivery
Partition (ADP)
ADP Overview and Benefits
 Application Delivery Partitions (ADP) provide isolation of configuration

components and administration
– Role-based Administration partitions (up to 255 RBA partitions)
 Isolate Layer 4 - 7
 Share resources (app, network, and system) with the rest of the system equally
– Layer 3 Virtualization partitions (up to 1023 L3V partitions)

 Isolate Layer 3 - 7
 Allow customized resource allocation through system-resource-usage templates
A1-Active-vMaster[1/1](config)#system resource-usage template L3V_1
A1-Active-vMaster[1/1](config-resource template)#?
app-resources Enter the application resource limits
network-resources Enter the network resource limits
system-resources Enter the system resource limits
Note: An additional RBA and L3V partition exists if you count the shared partition allocation

Sharing Resources in RBA Partitions
RBA_Part1 RBA_Part2 RBA_Part3

Private space: Layers 4-7 Virtual
server
Server _s1
• Port 80
• 10.0.0.10
VE interfaces, IP addresses, VLANs
Shared space: Layers 1-3
Ethernet interfaces
In layers 1-3 objects are public and must be unique. They can be shared, unless they
are a part of a private object defined in an RBA partition. Server _s1's IP address in this
example cannot be used by any other partition.

Sharing Resources in L3V Partitions
L3V_Part1 L3V_Part2 L3V_Part3

Private space: Layers 3-7 Virtual server Virtual server Virtual server
Server _s1 Server _s1 Server _s1

• Port 80 • Port 80 • Port 80
• 10.0.0.10 • 10.0.0.10 • 10.0.0.10
Configured Configured Configured

interfaces interfaces interfaces
Shared space: Layers 1-2
VLANs, Ethernet (physical) interfaces
Note: In L3V partitions IP addresses are private

aFleX TCL Scripting
aFleX Overview
 aFleX is a powerful and flexible Thunder feature that you can use to manage your
traffic and provide enhanced benefits/services
– aFleX uses industry-standard TCL (Tools Command Language) based syntax
 Standard TCL commands
 Special set of extensions provided by the Thunder
– aFleX allows:
 Content inspection (headers / data)
 Actions on traffic
– Block traffic
– Redirect traffic to a specific Service Group (pool) or Server (node)
– Modify traffic content

aFleX Configuration
 Place aFleX script on the Thunder

– Using CLI
 Use a computer with any text editor to write an aFleX script and save it as a file
 Use “import aflex” command to import the aFleX file from a server to Thunder
 aFleX CLI syntax check: "aflex check <name>"
– Using Web GUI

 With ACOS Web interface, users can directly type in aFleX scripts and save them on the Thunder under "Config
> Service > aFleX"
– Using aFleX Editor

 aFleX editor can download/upload aFleX scripts from/to the Thunder. Moreover, it can do syntax checking. It
also has syntax highlighting, keyword auto-completion, etc.

aFleX Five Basic Elements
1. Events: Triggered based on client/server packet and/or connection flow

2. Operators: A descriptive string representing a rational or logical operation to be
executed
3. Commands: Used on elements within the packet flow headers in order to gather
data or provide various aFleX functionality
4. Variables: Used to store information to memory to be recalled when needed
5. Conditionals: Control structure in programming that allows you to create a
logical flow within your code

Creating an aFleX
 Sample use cases for aFleX scripting

– Redirect end users to backup
data center when primary
data center is not reachable
– Transparent conversion of
HTTP requests to HTTPS
– Add a hostname to an
existing Web site
 Both CLI and GUI options
for aFleX scripting
– CLI: aflex create <name>
– GUI: See screenshot

Sample aFleX Scripts

Sample aFleX Scripts

A10 Thunder Platforms
Thunder ADC Hardware Appliances
150/145 Gbps (L4/L7)
7.1M L4 CPS
150/145 Gbps (L4/L7) 38M RPS (HTTP)
5.3M L4 CPS SSL Processor
79/78 Gbps (L4/L7) 31M RPS (HTTP) Hardware FTA
6M L4 CPS SSL Processor
79/78 Gbps (L4/L7) 32.5M RPS (HTTP) Hardware FTA
3.7M L4 CPS SSL Processor
20M RPS (HTTP) Hardware FTA Thunder 6630 ADC
SSL Processor
Hardware FTA Thunder 6430(S) ADC
Thunder 5630 ADC
Price
Thunder 5430(S)-11 ADC
77/75 Gbps (L4/L7)

2.8M L4 CPS
17M RPS (HTTP)
SSL Processor
38 Gbps (L4&L7) Hardware FTA
30 Gbps (L4&L7) 2.7M L4 CPS
750k L4 CPS 11M RPS (HTTP)
10 Gbps (L4&L7) 3M RPS (HTTP)
450k L4 CPS SSL Processor Thunder 5430S ADC
2M RPS (HTTP)
5 Gbps (L4&L7) SSL Processor Thunder 4430(S) ADC
200k L4 CPS
1 M RPS (HTTP) Thunder 3030S ADC
Thunder 1030S ADC
Thunder 930 ADC
Performance
vThunder Software Appliances
vThunder (Perpetual Licensing)

 200 Mbps to 8 Gbps
 VMware, KVM, Hyper-V & Xen
hypervisors
 Dynamic provisioning, faster roll out High-performance
 Scale up or down on-demand 8 Gbps
Price
High-performance
4 Gbps
Entry Level/Lab
1 Gbps
Entry Level/Lab
200 Mbps
Lab Edition
Performance
Thunder Hybrid Virtual Appliance (HVA)
 Why HVA?
– Hardware acceleration
– Deploy instances on demand
– Consolidation
– Strong hypervisor-based isolation
Thunder 3530S HVA
Price
 Advantage: 40 instances,
Thunder 3030S HVA 100 Gbps
– Hardware performance, virtual flexibility 8 instances,
– OpenStack management 35 Gbps
– SR-IOV support for network and SSL

acceleration
– No performance or feature licenses Performance

3rd-Party Integrations: SDN/Cloud Orchestration Integration
 Achieve automation, operational agility, and reduced TCO

 SDN integration
– Overlay & fabric integration
– VXLAN and NVGRE
– IBM SDN-VE, Cisco APIC, VMware NSX
 Cloud orchestration integration
– Policy integration with Cloud orchestration platforms
– aGalaxy, Microsoft SCVMM,
vmware vCloud Director, OpenStack
Note: For more details about on SDN and Cloud Orchestration material,
refer to the aCloud presentation slide deck.

Thunder Series CGN
Product Line Overview
Service Provider & Enterprise Challenges
 Preserve Investments in existing infrastructure

– Compatibility with current network architecture
– Extend existing IPv4 network infrastructure
 Transparent end user experience
– Ensure applications and services are maintained
– Business continuity in case of failure
 Smooth transition to IPv6
– Need to support any/all migration technologies

A10 CGN Value Proposition
Most complete Highest Form Factor

feature set: performance: Flexibility:
 IPv4 extension  256 million sessions  Physical

 IPv6 migrations  150 Gbps  Virtual
throughput
 Application Layer  Hybrid
Gateways  Cluster to 1 Tbps+
 SDN/NFV ready
 Run any/all features  Purpose built  Small form factor
on one unit appliances
 1-3U appliances
 High availability
and security  All inclusive license
Beats Chassis/modules alternatives hands down:
Superior comprehensive feature set, highest performance,
smallest form factor, lowest power and cooling, best ROI
Common IPv6 Migration Techniques
Dual-Stack Encapsulation Translation
Native IPv4, IPv6 6rd, DS-Lite NAT64, NAT46
Why so many options?

Every network is different and no one implementation fits all

A10s IPv6 Migration Options
Access Destination Migration A10 offers
IPv6 6rd
Internet
IPv4
Stateful One box
IPv6 solution!
IPv4 NAT64/DNS64
IPv6 Internet
Stateless
IPv6 NAT46
IPv4
Internet
IPv4 DS-Lite
IPv6 IPv4 Unique Service

Internet Lw-4o6 Provider feature

Thunder CGN Hardware Appliances
Thunder 6630(S) CGN
Thunder 6430 CGN
Thunder 5630(S) CGN
Thunder 5430(S)-11 CGN

Thunder 3530S HVA
Price
Thunder 5430S CGN

Thunder 3030S HVA
Thunder 4430(S) CGN
Thunder 3030S CGN

All inclusive licensing
Performance
Thank you
vThunder Free Trial – Try Today
 Visit www.a10networks.com
– 30 days, 5 Mbps limit
– Full features
– For VMware, Hyper-V, KVM and Xen

A10 Capabilities Overview (2015!05!29)

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

A10 Capabilities Overview (2015!05!29)

Uploaded by

Copyright:

Available Formats

A10 Networks Overview

Accelerating and Securing Data Center

©A10 Networks, Inc. 02242015

Headquarters in San Jose 2,000+

Q4' 11 Q4' 12 Q4' 13 Now

COMPANY GROWTH $180M

2010 2011 2012 2013 2014

©A10 Networks, Inc. 2

©A10 Networks, Inc. 3

Certs: 1659, 1963 Listed as IA Tool

©A10 Networks, Inc. 4

 Best-in-class application networking performance scalability

©A10 Networks, Inc. 6

Switching and Routing

 Can modestly scale up parallel processing efficiency

– Caching: inherently cross-flow,

©A10 Networks, Inc. 9

 Scales up parallel processing linearly

L4-7 L4-7 L4-7 L4-7 L4-7

©A10 Networks, Inc. 10

Conventional IPC Architecture ACOS Shared Memory

©A10 Networks, Inc. 11

# of CPU Cores Benefits:

©A10 Networks, Inc. 12

Software ADC CGN TPS

Dedicated Data Centers Multi-Tenant Data Centers

IT Delivery Dedicated Managed Cloud IaaS

©A10 Networks, Inc. 13

Data Center Demilitarized Zone (DMZ)

©A10 Networks, Inc. 14

* Additional SSL performance available

©A10 Networks, Inc. 15

VOLUMETRIC RESOURCE PROTOCOL

 ACOS designed for reliability

©A10 Networks, Inc. 17

©A10 Networks, Inc. 19

~4x ~4x National provider of wireless voice,

©A10 Networks, Inc. 21

Availability Acceleration Security

 Scale Web and key  Provide fast and  Protect against

©A10 Networks, Inc. 26

– For equipment consolidation and faster Acceleration:

©A10 Networks, Inc. 27

– FWLB and SSL offload, more…

– Network and application protection

Data Center Internal Users

©A10 Networks, Inc. 28

– Supports popular authentication services/stores

©A10 Networks, Inc. 31

 Authentication Methods  Authentication Relay

 Example AAM Configuration

Clients SharePoint Servers

©A10 Networks, Inc. 33

 2048-bit keys are now the standard

 Transparently intercept SSL traffic, decrypt

©A10 Networks, Inc. 36

 User connects to site using SSL

 ACOS creates an unencrypted zone

corporate policy Malware Detection

©A10 Networks, Inc. 37

 Problem: Provide high performance security for

– Net Effect: Security platforms have more

©A10 Networks, Inc. 38

 Application Delivery Partitions (ADP) provide isolation of configuration