Nortel Networks Alteon Application Switch 2424-SSL

Nitty Gritty

Let's get this out in the open--configuring the Alteon 2424 proved to be a challenge. The 2424 requires very little configuration for a standard Layer 4. However, I had to configure five separate VLANs, find LC-to-SC media converters and ensure that all the networking was functioning before I could get a look at the Layer 4-7 pieces of the device. And if you're used to a Cisco Systems IOS-like CLI, the requirement to associate an IP address with a VLAN via an interface seems strange.

To set up the 2424 to do basic Layer 4 load balancing for eight Web servers (emulated by Spirent Communications' WebReflector), I configured four separate VLANs for the Web servers (two per port on the WebReflector) and another VLAN for the 2424 connectivity to a Cisco Catalyst 6500.

One of the more noteworthy aspects of the 2424--something particular to Alteon switches--is that it lets you specify individual ports for client or server processing, or both. I enabled ports to which the WebReflector was connected for server processing, while I designated the single port into the Catalyst 6500, through which clients would access the Web site, for client processing. Although such work is tedious, it lets the 2424 eliminate internal processing for specific ports and concentrate cycles only on necessary functionality.

A new feature in the 2424 is its ability to enable/disable delayed binding at Layer 4, a default aspect of Layer 7 switching (routing traffic at the application layer is dependent on having the application data available to examine). When delayed binding is enabled at Layer 4, the 2424 makes no determination as to which back-end server should process the request until after the TCP handshake is completed and the HTTP headers have been received. This helps prevent DoS attacks by SYN floods, since the use of delayed binding doesn't let the initial SYN reach a back-end server until after the validity of the request is confirmed.

Configuration of a standard Layer 7 scenario with only two rules was more extensive than for Layer 4. Rules are bound to servers rather than a group or pool (as offered by competitors F5 Networks and Foundry Networks), so I had to associate the appropriate SLB (server load balancing) string to each server that would handle requests matching the rule. I also had to enable each virtual service (tied to a virtual server) for Layer 7 functionality, or "HTTP SLB" in Nortel-speak.

Running With It

I ran a standard test against the 2424 using 24-KB pages comprising 10-KB text, 4-KB images and 2-KB images, and was unable to max out the device. While processing 22,000 HTTP gets per second, the device showed only 21 percent CPU utilization. Other products I've tested under these conditions, such as those from F5 Networks and ArrayNetworks, have run in 90 percent CPU utilization while handling 10,000 HTTP gets per second. I ran this same test on other content switches in the lab, including those from ArrayNetworks, F5, Foundry and NetScaler, under the same configuration and load conditions, and the Alteon 2424 was able to process twice the requests of its competitors.Setting up a secured site using SSL is a chore, so be sure to budget some time for this task. The architecture requires the use of redirection and no fewer than three sets of filters across three disparate VLANs. The filters are needed for internal redirection between the client port(s), real server groups and the SSL blade. An additional filter set on the client port is required if you want clear text requests from clients to be redirected to a secure port. I much prefer the single-click options available in the competing products. And though all products require the same effort in terms of setting up certificates, most of the competitors allow you this level of redirection by simply checking a box within the Web console. Although filters and rules are employed by the competition, the complexity of such a subsystem is hidden from the user.

The 2424 can be deployed in a redundant configuration and uses VRRP (Virtual Router Redundancy Protocol) with optional HSRP (Hot Standby Routing Protocol) to provide failover capabilities. Bandwidth management is also an option, with up to 256 available "contacts" (policies) and the ability to apply them to ports, VLANs and virtual servers.

With a list price of $31,995 (as tested), the Alteon 2424 delivers value for the dollar. Its price point is lower than competitor F5 Networks', and with nearly twice the performance, the 2424 should be on your shortlist of content switches to evaluate when shopping for a load-balancing solution.

Lori MacVittie is a Network Computing technology editor working in our Green Bay, Wis., labs. Write to her at [email protected].

Post a comment or question on this story.