Stagnant for several years, lately the load balancer/application delivery controller market has seen new life, with several existing vendors making renewed pushes, at least one vendor pulling out (Juniper), and a completely new vendor, A10 Networks.
Founded by Lee Chen, co-founder of Foundry Networks, A10 Networks first came out with a network ID product called IDsentrie. They then entered into the load balancing fray with the introduction their AX series of application delivery/load balancing in January of ‘07, and have been aggressively going after the enterprise ADC (application delivery controller)/load balancer market since.
I got my hands on an A10 AX2000 recently, and gave it a look-see.
Setup and Configuration
Setup was pretty simple, and despite this not being a terribly good habit, I was able to get the system up and running without really looking at the manual. It’s not a dramatic departure from other similar products in terms of configuration, and that’s a good thing.
They follow the fairly common load balancer abstraction objects of virtual server/service, service group, and real server. In addition, they make heavy use of profiles (cookie profile, HTTP profile, etc.) which are applied to various VIP/group/real server parameters. They have the basics pretty much right in terms of making their configurations relatively easy.
I put together a little demonstration video for configuring a simple one-server load balancing setup, which you can view below.
If you’re curious as to the network setup I used for this video, here’s a diagram:
Network Implementation
One of the biggest issues with actually implementing any load balancing product is to figure out how it fits into a given infrastructure. For the AX2000, I was able to set it up successfully both two-armed mode (VIPs and real servers on separate subnets) and one-armed mode (VIPs and real servers on the same subnet). Both modes worked with transparency (source IP is preserved) and non-transparency (source IP is obfuscated).
I was also able to set up load balancing in bridge-path mode, where traffic is forced through the load balancing on the way out by being in the Layer 2 path of traffic. Bridge-path isn’t new in the load balancing world (Alteons and other application switches have done this for a while), but it is interesting that the AX2000 supports this as bridge-path had largely fallen out of favor. One of the main benefits to bridge-path is that you don’t have to worry about setting the default gateway of servers to the load balancer (and still keeping the source IP address of the clients intact in the server logs), since you’re forcing traffic back through the load balancer by virtue of it’s place in the Layer 2 infrastructure.
When operating in Layer 2 bridge-path mode, the AX2000 acts like a switch. However, it does not participate in STP (spanning-tree protocol) and instead it runs its own redundancy protocol so that only one device in an HA pair forwards Layer 2 frames. This is fortunate, as few things strike fear into the heart of network administrator quite like the words “spanning-tree protocol”.
Physical
Physically, the AX2000 was heavier and more substantial than I had expected. The AX2000 model I reviewed had dual power supplies, and the case itself was of very solid metal construction.
High-End Features
One high-end feature of the AX series is the aRules control language. Based on Tcl, they’re similar to F5’s iRules (in terms of function and syntax) and allow for more granular control of HTTP traffic, both HTTP headers and HTTP content. The primary advantage of control languages is the ability to provide tighter integration and functionality to the application sitting on the server, and the primary disadvantage is the ability to provide tighter integration and functionality to the application. It’s a two-edged sword, and that’s where the value of an active user community really comes into play.
While the aRules do give a greater degree of control over traffic, they do have some catching up to do with F5’s iRules in terms of functionality and in terms of a community developed around that feature. That said, there are enterprise products that have been around for years that haven’t come up with their own control language. A10 came out with theirs before they hit birthday number one.
A handy tool that A10 includes is an aRuleEditor for Windows. You can create aRules with any text editor, but the aRuleEditor has syntax highlighting as well as all the functions available in a drop-down menu.
Performance
My apartment has many comforts, but among them is not the ability to push Gigabits of Layer 7 traffic, so I did not test the performance of this box. A10 Networks did commission the Tolly Group to test their boxes for performance, and you can find results on A10’s website for the AX2100 and AX3200 models.
List price for the AX2000 box with 5,000 SSL CPS (SSL acceleration is turned on by default, no additional licenses are required), 8 copper Gigabit ports, and 2 fiber Gigabit ports is $16,995. Double that for redundancy, of course.
Overall Impressions
From what I’ve seen, this is a very solid box. The feature set is there, the performance is there (at least according to the Tolly Group), and the company itself seems to be track. Probably the most impressive aspect of it is that in a little over a year, they’ve put out a solid product with more features than products that have been out for years. They’ve got some catching up to do before they reach feature parity with F5, but they’re doing pretty good so far.
That’s a good review of A10. It’s nice to see a second opinion on gear we’re buying.
If its helpful to anyone, we’re posting the experiences from our vetting of the AX2200 here: http://blogs.digitar.com/jjww/
Very cool. I have been completely unable to get the time of day from A10 for the last several Interops. The marketing claims had been bold so I was trying to get a unit to test in my labs. Would love to put my existing infrastructure (Radware, F5, Netscaler, Crescendo) head to head with them in the real world and get some Truesight reports. With Interop coming up in a few weeks, perhaps this time around.
How is the SSL licensing? F5 ships their boxes with 100 SSL TPS, but if you want greater SSL TPS processing, you will need to purchase an additional licensing key.
How many SSL TPS does the A10 box support in the default configuration?
-Ron
Hi Ron,
With the A10 boxes, SSL is turned on by default to its maximum, so there’s no extra cost. According to A10, the AX2000 can handle up to 5,000 SSL CPS (connections per second). I went ahead and updated the article.
Tony
Hi Tony:
SSL CPS isn’t a good measure of how this box will actually perform in an SSL intensive environment. I am very suspicious that A10 has NEVER published SSL TPS statistics for its box like all of its competitors.
Dan
Hi Dan,
You might want to take a closer look at the Tolly Group reports they have published on their web sites.
http://a10networks.com/files/AX_2100-vs-BIG-IP-3400-Tolly.pdf
In particular, “Without reusing the SSL session, the AX2100 was able to achieve 5,391 SSL TPS for 128-byte objects”.
Tony
Ron, re SSL TPS, there is no licensing tiers. You buy the box, you can use whatever the box is capable of. In the case of my AX1000, I have seen it do over 1000 SSL TPS in my environment, and the box is rated for 5000. This in the entry-level box. It might be identical in the 2000-series, b/c I think they use the identical SSL chip until the 2200 or 3200 (not sure)
Shawn
Dan, re suspicions on SSL performance, I am aware they use a recently-released cavium nitrox crypto accel chip, so I would believe it. All other parts of their architecture seems to be oriented toward performance, as well (not that features are hurting).
Mine has been in production 4 months, and all aspects of the organization have been very responsive to questions, testing, setup.