Features Document. Alteon Application Switch AlteonOS 29. www.radware.com

Features Document Alteon Application Switch AlteonOS 29 www.radware.com

Date: May 1, 2013 Page - 2 OVERVIEW... 4 ALTEON ADC CAPABILITIES... 4 System... 4... 4 Management... 5 Notifications... 5 Logging... 6 Utilities... 6 Basic Switching & Routing... 6 Layer 2... 6 Layer 3... 7 Local Application Switching... 8 Real Servers... 8 Server Groups... 9 Virtual Server-based Load Balancing... 10 Application Acceleration... 10 Filter-based Load Balancing... 12 Network Address Translation... 13 Content-based Load Balancing... 13 Persistency... 14 HTTP Content Modifications... 15 Advanced Features... 16 Global Application Switching... 17 Bandwidth Management... 18 Security... 19 Monitoring & Reporting... 20 Troubleshooting... 20 ALTEON VIRTUALIZATION CAPABILITIES... 20... 20 Resource Management... 21 Version Management... 22 License Management... 22 ADC-VX Management... 22 Network Virtualization... 23

Date: May 1, 2013 Page - 3 High Availability... 24 Fault Isolation... 25

Date: May 1, 2013 Page - 4 This document does not specify or track specific hardware platform and feature limitations, or provide usage guidelines or instructions. Additional detailed information can be found in the release specific User Guides, Release Notes, Maintenance Release Notes, and other related documents. This document is valid for AlteonOS version 29. Alteon Application Switch Alteon ADC-VX TM Alteon Application Switch is an intelligent application delivery controller (ADC) which enhances the delivery of applications over IP networks by bridging the gap between applications and networks. Alteon Application Switch provides breakthrough performance, advanced application acceleration capabilities and on demand scalability needed to effectively meet contemporary network and business needs. Specifically designed for the majority of enterprises and carriers that operate in dynamic, ever-changing environments and face diverse requirements, the Alteon Application Switch provides the extendable throughput they need from 0 to 80Gbps for unparalleled scalability, business availability and performance. The industry's first Application Delivery Controller (ADC) Hypervisor that runs multiple virtual ADC instances on a dedicated ADC hardware, Radware's OnDemand Switch platforms. ADC-VX is designed from the ground up to enable organizations to consolidate their ADC hardware devices without compromising resiliency or performance predictability of their ADC services resulting in significant savings of hardware costs and operational expenses. Additionally, ADC-VX provides the agility and the simplicity that is required in the dynamic, ever-changing virtualized data center, driving faster deployment of new services and better alignment of ADC services with frequent configuration changes. Radware's ADC-VX is an ideal solution for large enterprises, hosting and service providers as well as cloud providers that aspire to achieve significant cost savings by consolidating multiple dedicated ADC devices into a single, cost-effective consolidated ADC device. Alteon ADC Capabilities System Role in The Network Licensing Model Device can operate as Layer 2 bridge or as a Layer 3 router. Device can be deployed in a single-leg (lollipop) or multiple-leg configuration. The licensing mechanism is used to provide an easy path for adding product capabilities after the initial product purchase.

Date: May 1, 2013 Page - 5 Management Capabilities license this license is available on all platforms and allows customers to add additional capabilities such as Global load balancing, BWM and Security. Throughput license the throughput limitation and upgrade is implemented via separate license. SSL TPS License this license defines the SSL offload capacity level and enables capacity upgrade (SSL TPS). Compression Throughput License - this license defines the HTTP compression capacity level and enables capacity upgrade (compression throughput in Mbps. APM License this license defines the Application Performance Monitoring capacity level and enables capacity upgrade (sampled pages per minute). Management Interfaces Management Ports Access Control Web Based Management (WBM), using HTTP or HTTPS. Command Line Interface (CLI), via Telnet, SSH, or Console access. APSolute Vision centralized management application, using SNMP. Via dedicated management ports which are fully isolated from traffic ports. Via traffic ports. Management access can be controlled for each management interface type per source network. Management access via data ports can be controlled per port. User Authentication User Authorization DoS Protection For access via CLI (console, Telnet, SSH), WBM and Web Services (HTTP, HTTPS) users can be authenticated via RADIUS, TACACS+ or via local table of authorized users. For SNMP the authentication is performed via SNMP mechanisms, depending on the SNMP version. Role-based Access Control 7 access levels available The system-wide rate limiting command can be used to prevent DOS attacks over ARP, ICMP, TCP and UDP protocols on switch owned IP addresses by setting the maximum rate at which packets can enter the switch. Notifications Events Notification Methods Operational events (servers up/down, errors, etc.) user can decide per software module whether to log/report its events or not Capacity license usage thresholds alerts. Console Syslog servers (up to 5 servers)

Date: May 1, 2013 Page - 6 Logging E-mail SNMP Traps. Device Logs External Logs Application Services Trace Log Events log Configuration Auditing via TACACS+ or Syslog. Session Log via Syslog Utilities Time Settings DNS Client Date and Time configuration. Daylight Saving Time support. Network Time Protocol (NTP) support - to synchronize devices by distributing an accurate clock across the network. Alteon can operate as DNS client required to resolve host name for HTTP health checks for example. Basic Switching & Routing Layer 2 Physical Interface Configuration Link Aggregation Port Mirroring VLANs For copper Gigabit Ethernet ports only. Auto-negotiation. Speed and duplex mode (when auto-negotiation is Off). Link Aggregation according to the IEEE 802.3ad standard. Static and dynamic (LACP) trunk management supported. Duplicates traffic from one physical port on the device to another physical port on the same device Can mirror only traffic belonging to certain VLANs on a port. Can mirror received traffic only, transmitted traffic only, or both. Up to 2048 VLANs per device 802.1q VLAN tagging is supported, providing standards-based VLAN support for Ethernet systems. Alteon allows you to assign different gateways for each VLAN, in order to segregate between multiple customers on the same switch. The benefits are: Resource optimization Enhanced customer segmentation Improved service differentiation Spanning Tree Protocol Alteon supports the following Spanning Tree protocols: Spanning Tree Protocol (STP) Rapid Spanning Tree Protocol (RSTP) as defined in the IEEE

Date: May 1, 2013 Page - 7 802.1W standard. Multiple Spanning Trees Protocol (MSTP) as defined in the IEEE 802.1S standard. Port Teams Teams up ports or trunks so that when one port or trunk in the team is down, all others in the team are operationally disabled. When VRRP is not used to detect link failures, port teams can be used to notify uplink routers and switches of uplink connection failure instead of waiting for the routers and switches to time out. Layer 3 Routing IP routing compliant with RFC1812 router requirements. Static routing Dynamic routing RIP 1, RIP 2 OSPF (as specified in RFC 1583 and RFC 1850, with some limitations). OSPFv3 (as specified in RFC 2740) BGP A deny route, or black hole route, can be configured to deny Layer 3 routable packets to destinations covered by a static route. Redundancy Mechanism: VRRP (Virtual Router Redundancy Protocol) Configurations: Active-Standby - both switches support active traffic but each switch is active for its own set of services and acts as a standby for other services on the other switch. Hot-Standby - two or more switches provide redundancy for each other. Only one of the switches supports active traffic for all services at any time. Active-Active both switches can process traffic for the same service at the same time Stateful failover by mirroring session and persistency data between redundant devices. Failover can be performed: At switch level (Switch-based VRRP Group) aggregates all virtual routers on the switch as a single entity for non-shared environments. At service level (Service-based VRRP Groups) - aggregates one or more virtual routers on a switch that behave as a single VRRP entity. Note: All virtual routers belonging to a group will failover as a group, and cannot failover individually. Alteon Application Switch Operating System supports a tracking

Date: May 1, 2013 Page - 8 function that dynamically modifies the priority of a VRRP router based on its current state. Tracking ensures that the selected switch is the one that offers optimal network performance. The following resources can be tracked: Active Ports Active IP Interfaces Active Virtual Routers Ports with Active Layer 4 processing Active Real Servers Client-only ports that receive HSRP Advertisements HSRP with VLAN OSPF Costs Manual configuration synchronization ensures that the redundant devices are synchronized at all times. IPv6 Support IPv6 IP interfaces IPv6 static and dynamic (OSPFv3) routing IPv6 VRRP Local Application Switching IP Topologies Load balance traffic to application virtual servers that provide various application services. Select group of servers to which to direct the request in order to provide the service required by the client. Select server within the group to which to direct the traffic, in order to optimize the service provided and to ensure its operation. Pure IPv4 - both clients and servers are IPv4 Pure IPv6 - both clients and servers are IPv6 IPv6/IPv4 gateway - IPv6 clients and IPv4 servers or IPv4 clients and IPv6 servers Real Servers Real Servers Load Balancing Parameters Redundancy Hardware element that can host one or more services (application ports). Logical elements multiple real servers defined on the same hardware element (IP) with different services (application ports) Weight Maximum Connections Backup/Overflow Server - takes over all the transactions served by the primary server that went down or has reached maximum connection limit, without any disruption. Backup Preemption allows to control preemption of backup when a

Date: May 1, 2013 Page - 9 primary server becomes active Availability Health Check (optional if configured it overwrites group level health check) Health check timers (optional if configured it overwrites health check timers) Buddy servers gives the administrator the ability to tie the health of a real server to another real server. Server Groups Load Balancing Algorithms Redundancy Availability Group of servers that provide the same service in order to accelerate the service response time and improve the overall performance. Servers contained in a server group can be placed in different physical locations, belong to different vendors, or have different capacity. The differences between the servers within a group are transparent to the clients. Round Robin Fewest Number of Users Least Amount of Connections Minimum Misses (hash) Persistent Hash Response Time Hash Server Bandwidth Backup/Overflow Server or Group - takes over to prevent loss of service if the entire real server group goes down or all its servers have reached maximum connection limit (overflow). Secondary backup group Alteon Application Switches can monitor the servers in the real server group and the load-balanced application(s) running on them. If a switch detects that a server or application has failed, it will not direct any new connection requests to that server. Health check types include TCP, ICMP, HTTP/S, DNS (TCP & UDP based), TFTP, SNMP, FTP, POP3, SMTP, IMAP, NNTP, RADIUS, SSL, LDAP/S, WAP, ARP, DHCP, RTSP. User-defined health checks are supported via scripts. Pre-defined basic health checks are available for all health check types. Advanced real server monitoring based on complex health checks involving multiple health check types or availability of additional elements. The Advanced Health Checks are defined as logical expressions of basic health checks. Advanced Group Health Check - allows you to configure a logical expression between servers belonging to the same group to fine tune the availability conditions for that real server group. Health checks are performed over IPv4 or IPv6 depending on

Date: May 1, 2013 Page - 10 Virtual Server-based Load Balancing monitored real server IP version. Virtual Server Virtual Service Allows setting a single point of entry i.e., a single Virtual IP address, for a variety of application services (multiple virtual services). Supports client-based service differentiation for the same Virtual IP address. Allows to define the processing capabilities that should be applied on traffic of a certain service Virtual service is defined by: Virtual Server Service Port Protocol (TCP or UDP) Application type Processing Capabilities available Select a real server from the group attached to the service Real server persistency Content-based real server selection for HTTP/S, DNS and RTSP Content-based server group selection, redirection or discard for HTTP/S and other TCP/UDP protocols 1 HTTPS and generic SSL offload HTTP/HTTPS Acceleration Content Modification for HTTP/S and other TCP/UDP protocols 2 Bandwidth Limitation Application Acceleration SSL Offload and Acceleration Offloads the heavy clients SSL actions from servers and forwards them clear HTTP traffic, or, if needed, weaker-encrypted traffic. Supports TLS 1.1 SSL/TLS version supported on front-end and back-end connections can be control. This allows: Increased security on front-end by disabling lower versions (e.g. BEAST attack protection) Support for older servers by using lower SSL/TLS version on the back-end. Offload SSL for any protocol using generic SSL support STARTTLS support for SSL offload 3 1 Via AppShape++ scripts 2 Via AppShape++ scripts

Date: May 1, 2013 Page - 11 Clear HTTP client connection to secure HTTPS back-end connection flow. Offload for client authentication service (certificate verification can be done via OCSP). Supported MACs include MD5, SHA1, SHA2 (256, 384, 512). SSL and client certificate information can be forwarded to server to allow integration between ADC and applications. Alteon Application Switch provides native, simple support for SNI (Server Name Indication) to allow Multiple HTTPS hosts to be hosted on a single virtual service. HTTP Multiplexing HTTP Pooling HTTP Pipelining Compression Caching Multiplex client HTTP connections to a small number of server connections to reduce server load thus improving Quality of Experience (QoE). A pool of server connections in maintained for servicing client connections. This has the effect of reducing the overhead imposed by establishing and tearing down the TCP connection with the server, improving the responsiveness of the application. All pipelined requests are buffered by device which performs a loadbalancing or Layer 7 content switching decision on each of them independently, thus providing support for cases where the pipelined requests need to be responded to by different servers (due to persistency or Layer 7 content switching reasons). Web objects compression capability that reduces the amount of data delivered over the internet. Granular compression policies allow flexible control per Browser, Content-Type or URL. Stores Web objects and delivers them directly to the browser without connecting to the servers. Granular cache policies allow flexible control per URL and the option to better leverage clients Browser s cache to improve response times and QoE. Both manual and automatic objects clearing is supported: Administrators can manually clear out specific objects from the HTTP cache as well as complete HTTP cache purge per virtual service. Automatic clearing objects from the HTTP cache based on a user action or by an automated command (HTTP requests of PUT/POST/DELETE methods) in accordance with RFC2616 section 13.10 is supported. TCP Optimization By implementing a set of RFCs and algorithms Alteon Application Switch can overcome the "chatty" nature of TCP protocol that along with the raise in use of wireless environments leads to increase in response times for user's request and causes degradation in the 3 Via AppShape++ scripts

Date: May 1, 2013 Page - 12 Filter-based Load Balancing user's experience. Filters allow controlling the types of traffic permitted through the switch. In filtered-based load balancing, a filter is used to redirect traffic to a real server group and load balance it among the available real servers in the group. Filters can allow, deny, or redirect traffic according to the IP address, protocol, Layer 4 port or Layer 7 content criteria. Filters allow to implement a wide range of solutions: Security filtering based on multiple classification criteria - from Layer 2 to Layer 7 Transparent application redirection to cache and application servers Static NAT, Dynamic NAT, FTP NAT, SIP NAT, Overlapping NAT IDS load balancing WAN Link Outbound Load Balancing Firewall Load Balancing VPN Load Balancing Filtering Criteria Each filter can be set to perform Filtering Actions, based on any combination of the following filter options: MAC address (source and/or destination) VLAN IP address or range (source and/or destination) Application port or range (source and/or destination) IP Protocol ToS TCP flags ICMP flags 802.1p priority bit HTTP Layer 7 content Transparent Deployments Stacking Filters per Port Alteon supports transparent and semi-transparent service deployments, while inspecting and taking action in both Layer 4 and Layer 7 When multiple filters are stacked together on a port, the filter's number determines its order of precedence: the filter with the lowest number is checked first. When traffic is encountered at the switch port, if the filter matches, its configured action takes place and the rest of the filters are ignored. If the filter criteria do not match,

Date: May 1, 2013 Page - 13 Network Address Translation matching to the next filter is tried. Overlapping filters - When overlapping filters are present, the more specific filters (those that target fewer addresses or ports) should be applied before the generalized filters. Default Filter - Before filtering can be enabled on any given port, a default filter should be configured. This filter handles any traffic not covered by any other filter. All the criteria in the default filter must be set to the full range possible (any). Client NAT Hides IP addresses of clients, using a Proxy IP address, when forwarding traffic to real servers, typically to solve routing issues. Both client IP and port are translated in the process. Proxy IP addresses can be associated to: Interfaces (physical ports or VLANs). Proxy IP addresses are selected according to either ingress or egress interface Virtual Service Real Server Client IP persistency can be applied to Proxy IP selection Host preservation is supported (the ability to only translate the network prefix portion of the client IP and to preserve the host portion). Static NAT Dynamic NAT Overlapping NAT SIP NAT and Gleaning Support Provides a method for direct mapping of one predefined IP address (such as a publicly available IP address) to another (such as a private IP address). Supports both source and destination NAT. Provides a method for mapping multiple IP addresses (such as a group of internal clients) to a single IP address (to conserve publicly advertised IP addresses). Supports both source and destination NAT. The source IP address and port are translated. The Alteon Application Switch supports the presence of overlapping or duplicate source IP addresses on different VLANs when performing source NAT. Alteon Application Switch supports NAT in the SDP to allow proper routing of media to end points with private addresses. Content-based Load Balancing HTTP Content-based load balancing uses Layer 7 application data (such as URL, cookies, and Host Headers) to make intelligent load balancing decisions. Alteon Application Switch allows you to load balance HTTP requests and select server, redirect or discard, based on different HTTP header information: URL (hostname, path, filename, filetype) Any Header

Date: May 1, 2013 Page - 14 Cookie Text XML tags RTSP DNS LDAP TCP/UDP Protocols Content Intelligent Cache Redirection Alteon Application Switch allows you to load balance RTSP requests based on based on URL hash or string matching. Alteon Application Switch allows you to load balance DNS requests based on DNS names as well as query type. DNSSec virtual services support allows DNS service providers to differentiate regular DNS from DNSSec traffic, allowing gradual migration of zones or coexistence of both services behind a single virtual IP. Alteon Application Switch allows you to load balance LDAP requests based on operation type (read or write). Alteon Application Switch allows you to load balance standard or proprietary TCP or UDP based applications according to application level information (TCP/UDP payload) 4. Alteon Application Switch allows redirecting cache requests or bypassing caching based on different Layer 7 content such as HTTP header information: URL Host Header Browser (User-Agent) String Match Persistency Source IP Address Allows providing a persistent connection between a client and the content server to which it is connected to ensure that the client traffic is not load balanced mid-session to a different real server, forcing the user to restart the entire transaction. Alteon Application Switch supports persistence based on source IP address and application-level parameters. Maintains persistence between different sessions from the same client to map to the same server, as long as the same group is configured for both services. Maintains persistence between different services (for HTTP and HTTPS traffic only) from the same client to map to the same server, as long as the same group is configured for both services. When the metric configured is hash, phash, or minmisses, persistence may also be maintained to the real server port (rport), in addition to the real server. 4 Via AppShape++ scripts

Date: May 1, 2013 Page - 15 HTTP/S Persistency Cookie - Alteon Application Switch supports the following modes of operation for cookie based session persistence: Insert Cookie: device inserts cookie in the server reply, before forwarding the reply to the client and use its presence in subsequent requests to ensure persistency. Passive Cookie: device learns from initial reply the cookie inserted by server and uses it for persistency of subsequent requests. Rewrite Cookie: rewrite the value of the cookie inserted by server URL hash Header hash SSL ID for HTTPS persistency - all SSL sessions that present the same session ID (32 random bytes chosen by the SSL server) will be directed to the same real server. SIP Persistency Windows Terminal Servers (WTS) Persistency WAP/RADIUS Persistency Maintains persistency for SIP calls by hashing based on Call-ID. Session persistency using the REFER method Performs the terminal server binding operation based on user name hashing. RADIUS Static Session Entries The RADIUS server creates a static session entry on the Alteon Application Switch to determine which real WAP gateway should receive the client sessions. The RADIUS server instructs the switch to create or delete a static session entry via Radware proprietary Transparent Proxy Control Protocol (TPCP). RADIUS snooping - Alteon Application Switch examines RADIUS accounting start and stop packets for client information and adds to or deletes static session entries in the switch's session table to determine which real WAP gateway should receive the client sessions. RADIUS and WAP on the same server - Alteon Application Switch examines RADIUS accounting start packets for framed IP address attribute and rebinds RADIUS session to a server based on this attribute value. All WAP session whose client IP matches the framed IP address value will be redirected to the same server.. HTTP Content Modifications HTTP Alteon Application Switch supports extensive HTTP header and body modification capabilities. Alteon Application Switch supports configuration templates for a number of popular HTTP response or request modifications, such as: Sending Original Client IPs to Servers Controlling Server Response Codes Changing URLs in Server Responses

Date: May 1, 2013 Page - 16 Enhancing Server Security by Hiding Their Identity Enhancing Security by Hiding Page Locations Replacing Free Text in Server Responses TCP/UDP Protocols Alteon Application Switch allows you to modify content of standard or proprietary TCP or UDP based applications (TCP/UDP payload) 5. Advanced Features Application Delivery Customization AppShape++ is a framework for customizing application delivery using user-written scripts. It provides the flexibility to control application flows and fully meet business requirements in a fast and agile manner. The TCL-based AppShape++ framework enables you to: Extend Radware s ADC Fabric services with delivery of new applications Quickly deploy new services Mitigate application problems without changing the application Preserve infrastructure investment by adding new capabilities without additional equipment investment WAN Link Load Balancing Transparent Application Redirection IDS Load Balancing Firewall Load Balancing VPN Load Balancing Enables to provide Gigabit connectivity from corporate resources to multiple ISP links to the Internet. Application Redirection improves network bandwidth and provides unique network solutions. Filters are used to redirect traffic to cache and application servers improving speed of access to repeated client access to common Web or application content and free valuable network bandwidth. IDS server load balancing helps scale intrusion detection systems since it is not possible for an individual server to scale information being processed at Gigabit speeds. Filters are used to forward a copy of the IP packets to an Intrusion Detection server. Firewall Load Balancing (FWLB) with Alteon Application Switches allows multiple active firewalls to operate in parallel. Parallel operation allows users to maximize firewall productivity, scale firewall performance without forklift upgrades, and eliminate the firewall as a single point-of-failure. Alteon Application Switch supports VPN load balancing for connecting from remote sites to the network behind the VPN cluster IP address. Alteon Application Switch ensures that the same VPN server handles all the traffic between an inside host and an outside client for a 5 Via AppShape++ scripts

Date: May 1, 2013 Page - 17 Global Application Switching particular session. Site Selection Rules Site Selection Metrics Allows balancing server traffic load across multiple physical sites to ensure business continuity and disaster recovery.. The Alteon Application Switch GSLB implementation takes into account an individual site's health, response time, and geographic location to smoothly integrate the resources of the dispersed server sites for complete global performance. Global capabilities license is required. Both IPv4 and IPv6 IP topology is supported. A site selection rule allows using a GSLB site selection metric preference list in order to select the best site. Rules can be set based on the time of day. One or more rules can be set per domain Site selection metric lists allow using multiple metrics to select the best site. The site selection starts with the first metric in the list and goes to the next metric when no server is selected, or more than the required servers are selected. The site selection stops when the metric results in at least one and no more than the required servers, or after the last metric in the list is reached. A site selection metric list can include up to 8 metrics in order of priority. The following metrics can be selected in the list: Geographical preference Network preference Least connections Response time Round robin Random Availability Quality of service Minmisses Hashing DNS local DNS always Remote Alteon Application Switch devices use a proprietary protocol to exchange load information and health monitoring for remote site availability information.

Date: May 1, 2013 Page - 18 DNS Redirection Application Redirection Alteon Application Switch resolves DNS A record queries to the virtual server IP of the best site. Alteon Application Switch can be integrated into environments deploying DNSSec and respond to DNSSec queries for which it is the SOA. Application Redirection is required: To ensure business continuity when the site approached went offline. Bandwidth Management 6 For applications that do not involve DNS resolution. Application Redirection methods: HTTP Redirection Proxy Redirection for non-http applications Bandwidth Management (BWM) enables Web site managers to allocate a portion of the available bandwidth for specific users or applications. It allows companies to guarantee that critical business traffic, such as e-commerce transactions, receive higher priority versus non-critical traffic. Traffic classification can be based on user or application information. BWM policies can be configured to set lower and upper bounds on the bandwidth allocation. Alteon Application Switch supports the following BWM capabilities: Rate Limiting controls the rate by metering the traffic that egresses from the switch. If the egress rate is below the configured rate limit (hard limit) for the port, the traffic is transmitted immediately without any buffering. If the egress rate is above the configured rate limit the traffic above the rate limit is dropped. Additional rate limiting capabilities: o o Application Session Capping is supported allowing limits to be placed on the number of sessions of a user per contract. Packet Coloring (TOS bits) for Burst Limit - whenever the soft limit is exceeded, optional packet coloring can be done to allow downstream routers to use diff-serv mechanisms (that is, writing the Type-Of-Service (TOS) byte of the IP header) to delay or discard these out-of-profile frames. Traffic Shaping - establishes queues and schedules when frames are sent from each queue according to priority. Traffic Monitoring 6 Available only when BWM license is present.

Date: May 1, 2013 Page - 19 Bandwidth Policies Traffic Contracts Bandwidth Management Module is available only with special activation key (see Licensing Model). Bandwidth policies are bandwidth limitations defined for any set of frames, that specify the maximum, best effort, and minimum guaranteed bandwidth rates. A bandwidth policy can be assigned to one or more traffic contracts. Policies can be activated or inactivated according to user-defined schedule. A contract defines the bandwidth management action (rate limiting, traffic shaping or monitoring) and its parameters (bandwidth policy, user limits,tos overwrite). Up to 1024 contracts can be configured on a single Alteon Application Switch. Contract activation can be time-based Contract Groups can be configured to aggregate contract resources and share unused bandwidth within the contract group. Contracts and contract groups can be assigned to different types of traffic: Per physical port Per trunk Per VLAN Per virtual server Per HTTP Layer 7 content (URL, cookie, etc.) Per filter Security 7 Multi-layered integrated security protection: IP ACL to control access to Alteon Application Switch and hosts behind Alteon Application Switch. Filters to control access on Layer 2 to Layer 7 traffic. Denial of Service (DoS) protection Protocol-based rate limiting Protection Against UDP Blast Attacks SYN Flood Protection. Deny traffic based on TCP/UDP pattern matching 7 Available only when ADOS Security license is present (except Filters and SYN Flood Protection that are always available)

Date: May 1, 2013 Page - 20 Monitoring & Reporting Device Performance Monitoring Application Performance Monitoring Extensive status and statistics information is available for all switch capabilities. A dashboard and historical reports provide real-time and long-term visibility into device performance Application Performance Monitoring (APM) provides a comprehensive view of application performance at transaction and real server level. A software license is required in order to activate this capability on an Alteon device and determine the available capacity in sampled pages per minute. Troubleshooting TCP Dump SSL Dump Application Acceleration Logs Support File A packet capture tool that allows you to intercept TCP/IP and other packets being transmitted or received over a network to which the Alteon switch is attached. Can be viewed, cleared or downloaded. An extension of TCP dump capabilities, which allows decryption of the captured SSL traffic using a user-selected key. Using SSL dump saves you the need to export the key from the device to decrypt the SSL sniffer file using third party software. Verbose logs can be recorded for traffic processed by Application Acceleration (SSL offload, cache, compression). All device logs and configuration can be packed together and downloaded for technical support purposes should be sent to Radware's technical support team. Alteon Virtualization Capabilities vadc Administrator Context Layer vadc is a virtual instance running completely privately on an OnDemand Switch platform. vadcs own their own set of resources, network infrastructure and services. vadc instances behave in the same manner as a traditional ADC, and are customizable to meet the needs of a specific use application or service level. Management layer that is responsible for the management of the physical appliance and the vadc resources and infrastructure configuration. The Administrator Context is not aware of the SLB functionality of the hosted vadcs. It is responsible for provisioning vadcs and resources, monitoring their use to preemptively identify application and service needs, while also controlling the appliance s entire Layer 2 infrastructure to ensure proper connectivity with the

Date: May 1, 2013 Page - 21 Resource Management physical infrastructure. Capacity Units Resource Reservation A capacity unit is a fixed resources package, which provides memory, CPU power, table real-estate and all the elements that constitute an ADC. Each capacity unit (CU) can be translated into throughput values, where each capacity unit can process up to 700 Mbps of traffic. Capacity units can be added and removed from vadcs based on the needs of the application (more processing power, more throughput capacity, or both). Such operations can be done in real time and do not Each vadc is assigned with a dedicated set of resources that cannot be consumed by or be in conflict with neighboring vadcs and /or services. This prevents resource starvation as a result of configurations, flash crowds, environmental issues, traffic profiles, and other such issues. If a vadc is at 100% utilization, no neighboring vadc will be affected. Each vadc is allocated with one or more vsp (Virtualized Switch Processor), to which the time slice available is controlled at the CPU level. This approach creates a scenario in which 100% utilization is relative to a single vadc resource and does not propagate to another vadc. The resource reservation mechanism optimizes usage of system resources. The system assigns vadcs to physical cores in a manner that will limit cross core communication to a minimum. If a single vadc is assigned to a physical core or SP, a vadc, regardless of the number of capacity units, will be able to take advantage of the entire SP. The system will always optimize resource usage based on the number of vadcs available on the Physical SP.For example,. if three vadcs all with a single CU are assigned to a SP the unassigned CU resources will be equally distributed across the vadcs. Share Mode - This mode refers to idle resources as available and equally allocates them for use for active vadcs. Using this mode allows a vadc to use extra computation power, if available. The assigned resource will never be used by another vadc regardless of utilization. Limit Mode - Unlike share mode, in which idle resources can be used by active vadcs, in limit mode, idle resources remain unused and vadcs can use only resources assigned to them. Capacity Limits The Global Administrator can assign to each vadc the following capacity limits: Throughput Limit minimum 200 SSL CPS Compression Throughput The capacity limits for each vadc are consumed from the device

Date: May 1, 2013 Page - 22 Version Management licensed capacity Multi Image Upgrade/patch/downgrades/staging per vadc Upgrade with forward and backward compatibility of ADC-VX infrastructure images Image band of up to 10 ADC applications and an additional four (4) infrastructure images Upgrades can be done for one, a group of, or all vadcs in the system with a single action License Management vadc Licenses Two free vadcs are provided by default. To create additional vadc instances, a new license can be purchased for a vadc bundle. Enterprise Services Pack license includes support for the following services: Global Load Balancing, Link Load Balancing, Security and BWM The Global Administrator can enable and disable service licenses per vadc, at the granularity of a specific service. For example, customer A requires only GSLB, while customer B requires GSLB and LLB. Floating Licenses No License keys are installed at the vadc level. All services are controlled by the Global Administrator. Services are transferable between vadcs based on availability. For example, customer A does not require GSLB any longer. In this case, the Global Administrator can disable the service and immediately enable it for customer B ADC-VX Management Management Virtualization Third Party Management Each vadc is assigned with a dedicated management domain. Management domains consist of the following elements: Committed Management Processor Resources through MP Virtualization (vmp) Configuration files User databases Log/audit files Management Access policy vadcs can be accessed and managed by unrelated customers without the risk of failure or breach of privacy of neighboring customers. Management access methods Each vadc can be managed through all the traditional access methods (SSH, Telnet, BBI, and so on). ADC-VX includes SNMP support for EMS system integration with the ability to perform all system operations.

Date: May 1, 2013 Page - 23 Dashboard The Global Administrator uses the dashboard view for resource monitoring purposes through the Web Management interface. The dashboard provides vadc utilization views of both throughput and CPU parameters, allowing the Global Administrator to display the dependencies between the two elements. The ADC-VX dashboard also supports the following: SSL resource utilization per vadc Compression resource utilization per vadc vadc tool tips now present vadc HA operation mode Configuration Backup and Restore Backup and Restore features are available to the Global Administrator, with the following options: Global Backup and Restore - All elements are backed up, including the Global Administration configuration (vadcs, allocated resource, system settings, and so on) and all vadc configurations files. Selective vadc Backup and Restore - Individual vadc configurations are backed up. Global Administrator Infrastructure Backup and Restore - The Global Administrator configuration is backed up, but not the vadc configuration files. Delegated Services Services that vadcs inherit from the Global Administrator. Delegated services can be made mandatory or optional, based on the needs of the ADC-VX owner (for example, enforcing the use of specific authentication servers or the requirement to report to a log server). To simplify the use of global services or to enforce a global policy, the Global administrator can force the delegated service settings for vadcs for the following elements: RADIUS server information settings Network Virtualization TACACS server settings Idle time Syslog server settings Management settings Management access protocols SMTP server information settings SNMP server information settings As part of the delegated services, the Global Administrator can control whether the target vadc can edit or remove the respective settings. Infrastructure Virtualization Each vadc has a dedicated network infrastructure, ensuring that network security risks such as floods, and threats such as MAC

Date: May 1, 2013 Page - 24 poisoning and others, will never affect neighboring vadcs and services. Each vadc maintains a completely dedicated infrastructure and set of protocols supporting multiple private network designs, overlapping IP spaces, dynamic routing designs, and so on. Each vadc includes the following dedicated elements Layer 2 Forwarding Database, switch, protocols and more Layer 3 ARP table, routing table, routing protocols (static and dynamic) IP Overlapping Virtualized Dynamic Routing Shared External Interface Allowed Networks Every single element within a vadc is completely isolated and private from every other vadc. Each vadc can be created with an overlapping IP network design for any network and/or service design. Each vadc fully supports a dedicated set of Dynamic Routing Protocols, which allow each independent vadc to interact with the network infrastructure as an independent network node. ADC-VX has an extremely flexible Virtual Network infrastructure. While each vadc can be created and deployed in any network design, ADC-VX introduces a new interface type called the shared external interface. This interface can be assigned to a vadc, in addition to any other interface. The purpose of this interface is to simplify the connectivity to a shared core network. It allows connectivity without changing the network design and without allocating a high number of subnets and VLAN IDs, at the same time maintaining the same level of security and segregation. By using the shared external interface option, vadcs will appear to switches and routers as yet another network node connected though a Layer 2 switch. Such interfaces consolidate the traffic of up to 28 vadcs on a single interface, resulting in the interface becoming high capacity. Global Administrator can control which IP subnets are allowed to be used with the VLANs assigned to a vadc. Assigning allowed networks both enables vadc Administrators to have the freedom to control their IP addresses, while the Global Administrator enforces control and reduces the dependency of the vadc Administrators on him. Allowed networks are supported for both IPv4 and IPv6 deployments. High Availability VRRP Multi-Peer Configuration Synchronization The following High Availability implementations are supported: Active-Active vadc Active-Standby vadc The Global Administrator can easily synchronize all vadc configuration elements between up to 5 hardware platforms using vadc synchronization. Synchronization elements can be as small as a parameter, or as big as a completely new vadc in his entirety. The synchronized parameters include:

Date: May 1, 2013 Page - 25 vadc Name and ID Capacity Units assignment Throughput allocation VLAN assignment Allowed networks Delegated services User settings Service license Cross Form Factor High Availability designs supported between: ADC-VX and ADC-VA ADC-VX and standalone ADC Cross form factor High Availability facilitates Quick recovery of a failed system with any form factor Calculating the cost of the backup system Simple and gradual process path of migrating to the virtualized system Fault Isolation No single vadc can cause failure or affect the operation of a neighboring vadc due to issues originated by an application, network, management, human error, or external element. High Availability designs are independent to a specific vadc. Protection against cascading failures Appliance failures can cause an increase in resource demand on the secondary appliance. Because active customers and applications running on the appliance might create starvation, causing the secondary appliance to fail, as well.