Initial Configuration of Alteon 1 To get the

Initial Configuration of Alteon 1. To get the management IP address, do one of the following : - In the interface, click the Summary tab of your defined Alteon VA to view the IP address of the management network. -In the Alteon VA console, enter /info/sys/mgmt. 2. To disable the DHCP, enter /cfg/sys/mmgmt/dhcp disable, and configure the management network manually using the CLI as follows: a. To configure the IP address, enter /cfg/sys/mmgmt/addr ip address b. To configure the mask, enter /cfg/sys/mmgmt/mask c. To configure the gateway, enter cfg/sys/mmgmt/gw default gw d. To enable the configuration, enter /cfg/sys/mmgmt/ena 3. Enable the management interface access, as follows: - To configure Telnet, enter /cfg/sys/access/tnet e - To configure SSH, enter /cfg/sys/access/ssh/on - To configure HTTP, enter /cfg/sys/access/http/e 4. To apply the configuration, enter apply. 5. To save the configuration, enter save.

Alteon Basic Configuration To get the enter /oper/swkey in the CLI. After you will receive the license, enter the CLI command /oper/swkey license_string

Models and specification Platform Throughput Levels Form Factor v. ADC Density Alteon NG 5224 5 Gbps, 10 Gbps, 16 Gbps Physical Appliance 24 Alteon NG 5208 6 Gbps, 12 Gbps, 26 Gbps Physical Appliance 24 Alteon NG 6024 30 Gbps, 40 Gbps, 60 Gbps, 80 Gbps Physical Appliance 20 Alteon NG 6420 30 Gbps, 40 Gbps, 80 Gbps Physical Appliance 48 Alteon NG 8420 100 Gbps, 160 Gbps Physical Appliance 100 Alteon VA 200 Mbps, 500 Mbps, 1 Gbps, 3 Gbps, 6 Gbps, 10 Gbps, 17 Gbps Virtual Appliance 1 Alteon VA for NFV 40 Gbps, 100 Gbps, 160 Gbps, 200 Gbps Virtual Appliance 1 Platform Throughput Levels Form Factor v. ADC Density Alteon NG 4408 5 Gbps Physical Appliance 1 Alteon 4416 1 Gbps, 2 Gbps, 4 Gbps Physical Appliance 1 Alteon 5412 8 Gbps, 12 Gbps, 16 Gbps, 20 Gbps Physical Appliance 28

###### Alteon NG ADC Platforms ###### ------- Alteon NG 8420 -- Technical Specifications -Designed for carriers, mobile operators and large enterprises -High-end performance application delivery appliance -On-demand 100 & 160 Gpbs throughput scalability -Carrier-grade reliability -Supports ADC-VX with up to 100 v. ADCs -128 GB up to 256 GB memory -Provides SSL acceleration, compression and caching -4 ports of 40 GE (QSFP+) and + 20 ports of 10 GE / GE (SFP+) -USB interface for software installation and recovery -Dual AC/DC power supply

Alteon NG 6420 - Technical Specifications -Designed for Carriers, Mobile operators and Very Large Enterprises -High-end performance application delivery appliance -On-demand 30 -80 Gbps throughput scalability -On-demand service scalability -Supports ADC-VX with up to 48 v. ADCs -Provides SSL acceleration, compression and caching -4 ports of 40 GE (QSFP+) and + 20 ports of 10 GE / GE (SFP+) -RJ 45 serial connection -USB interface for software installation and recovery -Front to back fans suitable for new data centers design -Dual AC/DC power supply

Alteon NG 6024 Technical Specifications Designed for Carriers, Mobile operators and Very Large Enterprises High-end performance application delivery appliance On-demand 30 -80 Gbps throughput scalability On-demand service scalability Supports ADC-VX with up to 32 v. ADCs Provides SSL acceleration, compression and caching 24 ports of 10 GE / GE (SFP+) Two redundant management ports providing out-of-band highly reliable management interfaces with enhanced security RJ 45 serial connection USB interface for software installation and recovery Front to back fans suitable for new data centers design Dual AC/DC power supply

Alteon NG 5224 Technical Specifications High performance application delivery appliance covering wide throughput range: 5 to 16 Gbps throughput capacity On-demand throughput scalability: 5, 10 & 16 Gbps throughput licenses Supports ADC-VX with up to 24 v. ADCs On-demand service scalability 2 x 10 Gb. E SFP+, 16 x 1 Gb. E SFP, 8 x 1 Gb. E RJ 45 Two redundant management ports providing out-of-band highly reliable management interfaces with enhanced security USB interface for software installation and recovery Single or Dual AC/DC power supply Suitable for mid-size to large enterprises that require a high-performing solution Provides SSL acceleration, compression, and caching Front-to-back fans suitable for new data centers design

Alteon NG 5208 Technical Specifications High performance application delivery appliance covering wide throughput range: 6 to 26 Gbps throughput capacity On-demand throughput scalability: 6, 12 & 26 Gbps throughput licenses Supports ADC-VX with up to 24 v. ADCs On-demand service scalability 2 x 10 Gb. E SFP+, 8 x 1 Gb. E RJ 45 USB interface for software installation and recovery Hot swappable Dual AC/DC power supply Suitable for mid-size to large enterprises that require a high-performing solution High performance SSL acceleration, compression, and caching Front-to-back fans suitable for new data centers design

Alteon VA Runs on any general purpose server Supports all leading hypervisors: VMware ESX/ESXi, KVM, Open XEN and Microsoft Hyper-V Several Alteon VA instances can run on a single physical server On-demand throughput scalability: 200 Mbps, 500 Mbps, 1 Gbps, 3 Gbps, 6 Gbps, 10 Gbps, 17 Gbps throughput licenses Fully equivalent (functionality wise) to any other Alteon physical appliance and platform Suitable for small, medium and large datacenters Provides SSL acceleration, compression, and caching Also available as a cloud service on Amazon Marketplace in CAPEX and OPEX models

Alteon VA for NFV Platform Highlights Runs on commercially off the shelf x 86 server Complete integration with NFV based infrastructure virtualization and orchestration frameworks (KVM, Open. Stack) NFV compliant to provide traffic steering and load balancing capabilities of up to 200 Gbps per Alteon VA instance On-demand throughput scalability: 40 Gbps and 200 Gbps throughput licenses Fully equivalent (functionality wise) to any other Alteon physical appliance and platform Suitable for large enterprises, online businesses, mobile and fixed line carriers

Alteon NG 4408 Technical Specifications 5 Gbps high performance application delivery appliance On-demand service scalability 6 Gigabit Ethernet ports (copper) + 2 Gigabit fiber ports (SFP-GBIC Mini) RJ 45 serial connection USB interface for software installation and recovery Suitable for small, medium and large datacenters Provides SSL acceleration, compression, and caching

Alteon 5412 Technical Specifications High performance application delivery appliance – up to 20 Gbps throughput capacity On-demand throughput scalability: 8, 12, 16 & 20 Gbps throughput licenses Supports ADC-VX with up to 28 v. ADCs On-demand service scalability 4 10 Gigabit Fiber Ports (XFP pluggable optics) + 4 Gigabit Fiber Ports (SFP-GBIC Mini) + 8 Gigabit Ethernet Ports Two redundant management ports providing out-of-band highly reliable management interfaces with enhanced security LCD panel displaying key statistics USB interface for software installation and recovery Dual, redundant AC/DC power supply Suitable for very large enterprise and carrier data centers that require high-end throughput levels Provides SSL acceleration, compression, and caching

Alteon 4416 Technical Specifications -------------------------------------------------- High performance application delivery appliance up to 4 Gbps On-demand throughput scalability: 1, 2 & 4 Gbps throughput licenses On-demand service scalability 12 Gigabit Ethernet ports (copper) + 4 Gigabit fiber ports (SFP-GBIC Mini) RJ 45 serial connection USB interface for software installation and recovery LCD panel displaying key statistics Suitable for small, medium and large datacenter Provides SSL acceleration, compression, and caching

Configuring Alteon 1. Login to the switch using putty. 2. Select n to not run the setup script:

Configuring Interfaces 1. Configuring Interfaces

Enabling IP forwarding Enable IP forwarding between interfaces: Configuring static routes 1. Define static routes to: 192. 168. 40. 0/24 network via CES 1 public IP (192. 168. 20. 2) using Alteon 1 interface 2; 192. 168. 50. 0/24 network via CES 2 public IP (192. 168. 30. 3) using Alteon 1 interface 3 2. Apply the changes.

Basic Server Load Balancing configuration steps Commands. 1. Enabling SLB globally 2. Configuring real servers Configure and enable Alteon 2 interfaces (interface 1 – 192. 168. 40 and interface 2 – 192. 168. 50) as real servers (real 1 and real 2):

3. Adding real servers to a group 1. Create a group for real servers and add the created real servers to the group: 3. Set health to ICMP: KAILAS APATHADE 2. Set metric hash:

4. Add VIP and Bind to a service group

Planning Parameters Specification 8420 Max Number of CU – 104 CU throughtput per CU -1538 CU SSL Limit CPS =1400 CU! Compression Limit Mbps – 130

Main Definition and term used Radware Term Definition 802. 1 Q Trunking is an IEEE protocol that interconnects VLANs between multiple switches, routers, and servers. With 802. 1 Q. A network administrator can define a VLAN topology to span multiple physical devices. When VLANs are physically attached to different switches, because the trunk link carries traffic for all of these VLANs, all the users in a given VLAN are in the same broadcast domain. IEEE 802. 1 Q switches normally support Fast. Ethernet and Gigabit. Ethernet interfaces. An 802. 1 Q trunk link provides VLAN identification by adding a 4 -byte tag to an Ethernet Frame as it leaves a trunk port. Because the frame has been changed, a new frame check sequence (FCS) must also be computed and added to the frame. Active-Active is a redundancy configuration involving two App. Director platforms (both must be the same type) where each platform can be both the Active platform for predefined farms and the Backup platform for other farms. In the event of a failure of one platform, the other platform temporarily assumes ownership of all farms. Active-Backup In an Active/Backup configuration, the primary App. Director platform is configured with the primary Virtual IP addresses. This platform performs the regular App. Director operations, handling all the inbound sessions to the Virtual IP addresses and distributing traffic among the servers in the farm linked to the Virtual IP address (using a Layer 4 Policy).

preemption In VRRP, preemption causes a virtual router that has a lower priority to become the backup, should a peer virtual router start advertising with a higher priority. preferred master An Alteon platform that is always active for a service, and forces its peer to be the backup. Preferred master is set according to VRRP priority. If a primary device is set with VRRP priority 101, and a secondary device is set with priority 100, then primary device is preferred master. priority In VRRP, the value given to a virtual router to determine its ranking with its peers. A higher number wins out for master designation. Values: 1– 254 for an IP renter, 255 for an IP owner Default: 100 proto (protocol) The protocol of a frame. Can be any value represented by a 8 -bit value in the IP header adherent to the IP specification, such as TCP, UDP, OSPF, ICMP, and so on. real server group A group of real servers that are associated with a virtual server IP address, or a filter. RIP (real server IP address) An IP address to which Alteon load balances when requests are made to a virtual server IP address (VIP). redirection or filter-based load balancing A type of load balancing that operates differently from virtual server-based load balancing. With this type of load balancing, requests are transparently intercepted and redirected to a server group. Transparently means that requests are not specifically destined for a virtual server IP address that Alteon owns. Instead, a filter is configured on Alteon. This filter intercepts traffic based on certain IP header criteria and load balances it. Filters can be configured to filter on the SIP/range (via netmask), DIP/range (via netmask), protocol, sport/range or dport/range. The action on a filter can be Allow, Deny, Redirect to a Server Group, or NAT (translation of either the source IP or destination IP address). In redirection-based load balancing, the destination IP address is not translated to that of one of the real servers. Therefore, redirection-based load balancing is designed to load balance Alteons that normally operate transparently in your network—such as a firewall, spam filter, or transparent Web cache. SIP (source IP address) The source IP address of a frame.

Glossary Term Description active-active configuration A configuration in which two Alteons can process traffic for the same service at the same time. Both Alteons share interfaces at Layer 3 and Layer 4, meaning that both Alteons can be active simultaneously for a given IP routing interface or load balancing virtual server (VIP). active-standby configuration A configuration in which two Alteons are used. The active Alteon supports all traffic or services. The backup Alteon acts as a standby for services on the active master Alteon. If the master Alteon fails, the remaining Alteon takes over processing for all services. The backup Alteon may forward Layer 2 and Layer 3 traffic, as appropriate. DIP (destination IP address) The destination IP address of a frame. dport (destination port) The destination port (application socket: for example, HTTP-80, HTTPS-443, DNS-53). hot-standby configuration A configuration in which two Alteons provide redundancy for each other. One Alteon is elected master and actively processes Layer 4 traffic. The other Alteon (the backup) assumes the master role if the master fails. In a hot-standby configuration, the Spanning Tree Protocol (STP) is not needed to eliminate bridge loops. This speeds up failover when an Alteon fails. The standby Alteon disables all data ports configured as hot-standby ports, whereas the master Alteon sets these same ports to forwarding. Consequently, on a given Alteon, all virtual routers are either master or backup; they cannot change state individually. LAG (link aggregation group) A logical port containing physical ports, as provided for by the Link Aggregation Control Protocol (LACP). A LAG can contain up to a total of eight physical and standby ports. NAT (Network Address Translation) Any time an IP address is changed from one source IP or destination IP address to another address, network address translation (NAT) can be said to have taken place. In general, half NAT is when the destination IP or source IP address is changed from one address to another. Full NAT is when both addresses are changed from one address to another. No NAT is when neither source nor destination IP addresses are translated. Virtual server-based load balancing uses half NAT by design, because it translates the destination IP address from the virtual server IP address to that of one of the real servers.

split brain A failure condition in which there is no communication or synchronization between two Alteon platforms which both behave as the master. sport (source port) The source port (application socket: for example: HTTP-80, HTTPS-443, DNS-53). tracking A method to increase the priority of a virtual router and, as a result, the master designation (with preemption enabled). virtual server load balancing Classic load balancing. Requests destined for a virtual server IP address (VIP), which is owned by Alteon, are load balanced to a real server contained in the group associated with the VIP. Network address translation is done back and forth, by Alteon, as requests come and go. Frames come to Alteon destined for the VIP. Alteon then replaces the VIP and with one of the real server IP addresses (RIPs), updates the relevant checksums, and forwards the frame to the server for which it is now destined. This process of replacing the destination IP (VIP) with one of the real server addresses is called half NAT. If the frames were not sent to the address of one of the RIPs using half NAT, a server would receive the frame that was destined for its MAC address, forcing the packet up to Layer 3. The server would then drop the frame, because the packet would have the DIP of the VIP, and not that of the server (RIP). VRRP (Virtual Router Redundancy Protocol) A protocol that acts similarly to Cisco’s proprietary HSRP address sharing protocol. The reason having for both of these protocols is so Alteons have a next hop or default gateway that is always available. Two or more Alteons sharing an IP interface are either advertising or listening for advertisements. These advertisements are sent via a broadcast message to an address such as 224. 0. 0. 18. With VRRP, one Alteon is considered the master and the other the backup. The master is always advertising via broadcasts. The backup Alteon is always listening for the broadcasts. Should the master stop advertising, the backup takes over ownership of the VRRP IP and MAC addresses as defined by the specification. Alteon announces this change in ownership to Alteons around it by way of a Gratuitous ARP, and advertisements. If the backup Alteon did not perform Gratuitous ARP, the Layer 2 devices attached to Alteon would not know that the MAC address had moved in the network. For a more detailed description, refer RFC 2338. VRRP router A physical router running the Virtual Router Redundancy Protocol.

virtual router (VR) An address shared by two Alteon platforms using VRRP, as defined in RFC 2338. A virtual router is the master on one Alteon, and the backup on the other. Alteon determines which virtual router to use for interfaces, virtual IP addresses, and proxy IP addresses. For each virtual router, the virtual router identifier (VRID) and the IP address are the same on both Alteons in the high availability solution. VRID (virtual router identifier) In VRRP, a value used by each virtual router to create its MAC address and identify its peer for which it is sharing this VRRP address. The VRRP MAC address as defined in the RFC is 00 -00 -5 E-00 -01{VRID}. If you have a VRRP address that two Alteons are sharing, then the VRID number must be identical on both Alteons so each virtual router on each Alteon can determine with which Alteon to share. Assign the same VRID to the Alteon platforms in a high availability solution. Radware recommends that you do not use this VRID for other devices in the same VLAN. Values: 1– 255 A MAC address associated with a virtual router. For legacy-based MAC addresses, the five highest-order octets of the virtual router MAC address are the standard MAC prefix defined in RFC 2338. The VRID is used to form the lowest-order octet. The MAC address format is as follows: virtual router MAC address If HA ID is non-zero— 00: 03: B 2: 78: XX where XX: XX is the combination of HAID and VRID. If HA ID=0 for IPv 4— 00: 5 E: 00: 01: XX. If HA ID=0 for IPv 6— 00: 5 E: 00: 02: XX. where XX is the VRID. virtual router master Within each virtual router, one VRRP router is selected to be the virtual router master. If the IP address owner is available, it always becomes the virtual router master. The master forwards packets sent to the virtual interface router. It also responds to Address Resolution Protocol (ARP) requests sent to the virtual interface router’s IP address. The master also sends out periodic advertisements to let other VRRP routers know it is alive, and its priority. virtual router backup A VRRP router within a virtual router not selected to be the master. If the virtual router master fails, the virtual router backup becomes the master and assumes its responsibilities. VRRP advertisement messages The master periodically sends advertisements to an IP multicast address. As long as the backups receive these advertisements, they remain in the backup state. If a backup does not receive an advertisement for three advertisement intervals, it initiates a bidding process to determine which VRRP router has the highest priority and takes over as master. The advertisement interval must be identical for all virtual routers, or virtual router groups.

virtual interface router (VIR) An IP interface that is bound to a virtual router. Virtual interface IP address owner A VRRP router where the associated Layer 3 interface IP address matches the VRRP real interface IP address. Only one of the VRRP routers in a virtual interface router may be configured as the IP address owner. There is no requirement for any VRRP router to be the IP address owner. Most VRRP installations choose not to implement an IP address owner, but use only a renter. A VIR owner is always dynamically assigned a priority of 255. If active, the VIR owner always assumes the master role, regardless of preemption settings. Tracking is not possible with a priority of 255. virtual server router (VSR) A virtual router supporting Layer 4 (VIP) interfaces. virtual proxy router (VPR) A proxy IP address that is bound to a virtual router. VRRP sharing When enabled, both Alteons are able to load balance an ingress request, even if an Alteon is not in the master. A get request is directed by the routing protocol. When disabled, only a master Alteon can load balance an ingress request. A get a request directed by the routing protocol is not processed. Sharing is enabled in active-active configurations, and disabled in all other configurations, such as active-standby and hot-standby. VIP (virtual server IP address) An IP address that Alteon owns and uses to terminate a load balancing request for a particular service request.