A10 Networks 2.0 Release
A10 Networks, a relative new comer to the application delivery/load balancing market, has nonetheless made its mark. Recently, they released the 2.0 version of their firmware for the AX line of ADC/load balancers, and A10 was kind enough to send me an evaluation box to take a look.
How It Fits Into the Network
The AX series operates can operate in Layer 3 (route-path) and Layer 2 (bridge path) modes. In Bridging mode the A10 works in both standard Layer-2 path (two VLANs, the AX2200 bridging the two) and the multi-armed mode, where the servers plug directly into the AX2200’s switch ports.
In Layer-3 mode, the AX2200 can work in either one-armed mode (VIPs and real servers on the same subnet) or two-armed mode (VIPs and real servers on different subnets). Half-NAT (where the client’s true source IP address is preserved) and full-NAT (all connections appear to come from the load balancer) are supported, with the ability to insert the real source IP in an HTTP header if necessary.
The unit cannot operate in both Layer 2 and Layer 3 modes, however, so it’s either one or the other.
Networking
The AX2200 has 16 copper Gigabit Ethernet ports, with 4 additional fiber ports. These ports support 802.1Q VLAN trunking, so you can run multiple VLANs if needed. There’s also an additional management Gigabit Ethernet port, which can have its own default gateway configured (separate from the rest of the box, which comes in handy for a management network) as well a pretty typical serial port.
Physical
Physically, the box is substantial. It’s quite sturdy and heavy with a 2U form factor that is fairly deep. There are two AC inputs on the back for power redundancy, and if both aren’t plugged in, there’s an alarm that goes off. There’s an alarm disable switch, but it must be used every time the unit is powered on with only one power source.
The box has a hard drive installed, as well as a flash drive, each holding two firmware images. This allows you to upgrade one, while having the other as a backup in case something goes awry.
Configuration
One of the nice aspects of the A10s is that if you’re familiar with load balancing concepts in general, you’ll be able to quickly adapt to the A10. They don’t diverge too much from standard SLB/ADC terminology and concepts, which comes in handy.
The CLI is Cisco-esque in nature, and follows most of the Cisco IOS syntax with a few exceptions (i.e. the “enable” command to enable an interface instead of “no shutdown”). If you’re used to Cisco, the command line shouldn’t be a problem.
The WUI (Web User Interface) is an evolution from the 1.x release, not a revolution. Most of the same basic concepts are there, some are just expanded upon more. There’s more liberal use of the template concept, allowing for things like rate limiting, cookie persistence, and other configuration templating.
On the whole, I found I could add a VIP with a few real servers in under a few minutes via the WUI. It’s quite responsive and easy to navigate.
Advanced Features
One of the A-list features of the A10 is its content control language, originally named aRules (somewhat familiar to another content control language, F5’s iRules). They’ve changed the named to aFleX, although it’s still the same language.
New to the 2.0 release is aXAPI, an XML API for controlling the AX devices remotely. You can use various URLs and XML to monitor and configure via your own home-grown methods to automate tasks such as adding real servers or downing a global site.
Another nice feature that the A10 has (and had since the 1.x release) is the ability to do selective source-NATing. This addresses one of the most common issues that comes up, which is the “same subnet” problem (more on this in another post).
With selective SNAT, you create an ACL that matches any subnets that you want to be SNAT’d (typically the same network the servers are on, so they can connect to the VIP).
For example, let’s say your servers are on the subnet 192.168.1.0/24. Without doing SNAT, you can connect to your VIP from any IP address except the server subnet. You apply the ACL so that anything from 192.168.1.0/24 gets SNAT’d, while everyone else connects in from their true source. You get the best of both worlds.
A10 isn’t the only vendor that offers selective SNAT, but there aren’t many that do.
Virtualization
The 2.0 release also includes an implementation of virtualization. You can create various partitions that allow different users to have control over their resources.
If you have control of a partition, resources aren’t assigned to you per say. You grab a resource, such as an IP address for a VIP and that IP becomes “yours”. When that IP is in your partition, other partitions can’t use or modify it. Same thing with real servers; other partitions can’t disable/enable your real servers.
Currently, there’s no ability to restrict resources (such as bandwidth, connections per second , access to physical ports or VLANs, etc.) although you can limit the number of aFleX rules (just not how much CPU resources the rules take up).
It’s not quite full virtualization in the IBM LPAR/VMware mold, and vendors like Cisco (with their ACE) allow for a greater degree of virtualization. However, the A10 implementation does offer some benefits to organizations looking to partition users.
Conclusion
Overall, like the AX2000 review before it, I found the AX2200 with the new firmware to be a very capable box. It certainly has the features necessary to run with the big boys in the Enterprise market.
[...] A10 Networks 2.0 Release [...]
March 11th, 2009 at 11:23 pm