Professional Documents
Culture Documents
ENT-02 Allot Enterprise Platforms
ENT-02 Allot Enterprise Platforms
Allot Enterprise
Platforms
ACTE Training (Enterprise Track)
• Centralized Management
In this module, we will introduce you to the Allot Enterprise Platform. By the end of
this module, you will:
▪ Be familiar with the main functions of the platform
▪ Know how to differentiate between the different models and how to decide which
model is suitable for you
▪ Understand the factors to take into consideration when deciding where in a
network to place the products
▪ Be familiar with the Management Modules installed on the Allot Gateway
Manager
What is the Service Gateway? Based on Allot's DART engine, the Service Gateway
platform is used for enhanced service optimization and service deployment. It
collects network and users statistics and shapes traffic in accordance to the policies
defined by the IT Manager via the NetXplorer central management system.
Application and user information within the Service Gateway are identified for each
traffic flow and the flows are subsequently dispatched to an array of additional
services and actions using a single process. The Service Gateway is a powerful
solution to provide digital services and digital experience to customers, reduce
network downtime and quickly and easily maintain new services and infrastructure
changes.
SG and NX Platforms
The traffic from the Enterprise Network flows via the Service Gateway. The SG
identifies the traffic and enforces the related actions to it. SG is managed by the
NetXplorer which sends it the policy that should be enforced. In distributed and
multi-platform solutions NX is installed within the Allot Gateway Manager. For single
product solutions, both SG and NX are installed on a single HW server.
Physical Links
Before we examine each product series, let’s review some basic terminology.
Each physical link on the Service Gateway is represented by two ports, one labeled
internal and the other, external. You will see that the different models of the Service
Gateways support different number of physical links.
The Service Gateway can view all the traffic passing through it as one entity,
irrespective of the number of physical links on the unit and irrespective of the specific
port through which the network traffic enters and leaves the unit.
If required, the Service Gateway can classify traffic by one or more physical interfaces.
In every model, a single management link serves for the management of all the traffic
flowing through the Service Gateway.
• Centralized Management
In this section we will see the Allot portfolio for Enterprise market.
SSG-200 SSG-400
For Medium and Large Enterprises
8 X 1GE
ACG-500 ACG-2000
4 X 1/10GE For Small/Medium Businesses (SMB),
and Small/Medium Enterprises (SME)
Coming New
Soon
The slide presents the Allot Enterprise Platforms Portfolio, from the smallest platform
ACG-500 till the largest SG-9700. You can see the how the throughput and a number
of ports increase through the platforms.
ACG (Application Control Gateway) series is designed specially for Small and Medium
customers.
SSG (Secured Service Gateway) series is designed for medium and large Enterprises
and can reach up till 35Gbps
SG (Service Gateway) series is the biggest one and can reach up till 250Gbps.
The main difference between ACG and other platform, is the Management platforms
which are embedded into the ACG Server, while SSG and SG series include inline
server with DART capabilities and additional Management unit is required.
ACG/SSG Appliances
ACG SSG
ACG-500 ACG-2000 SSG-200 SSG-400 SSG-500 SSG-600
* Actual throughput and performance metrics depend on enabled features, policy configuration, traffic mix, and other deployment characteristics
The Allot ACG series come with speed ranging between 50Mbps (the entry level of
bandwidth control for an ACG-500) up to 2Gbps (the maximum bandwidth control of
an ACG-2000) designed to serve the needs of Small/Medium Businesses (SMB) and
Enterprises (SME).
The devices in the series support up to 2,000,000 connections, 512 lines, 5,000 Pipes
and 15,000 VCs for static policy table configuration and 10,512 lines, 40,000 Pipes
and 80,000 Active VCs when using policy table templates.
• The ACG-500 has 4 network ports, which can be 1G copper only.
• The ACG-2000 has 4 network ports, which can be 1G fiber or copper or 10G fiber.
The Allot SSG Series come with speed ranging between 100Mbps (the entry level of
bandwidth control for an SSG200) up to 35Gbps (the maximum bandwidth control of
an SSG800) to handle the changing needs of any enterprise.
The SSG-800 can support up to 20,000,000 connections, 512 lines, 5,000 Pipes and
15,000 VCs for static policy table configuration and 10,512 lines, 150,000 Pipes and
600,000 Active VCs when using policy table templates .
The SSG500 and SSG600 can support up to 12,000,000 connections, 512 lines, 5,000
Pipes and 15,000 VCs for static policy table configuration and 10,512 lines, 1,000,000
Pipes and 2,000,000 Active VCs when using policy table templates .
The SSG200 and SSG400 can support up to 2,250,000 connections, 512 lines, 5,000
Pipes and 15,000 VCs for static policy table configuration and 10,512 lines, 250,000
Pipes and 500,000 Active VCs when using policy table templates .
Note: bandwidth values in this table are for both internal and external traffic.
SG
SG-9100 SG-9500 SG-9700
• Centralized Management
10
Dell HPE
4 x 1GE 4 x 1GE/10GE
Copper Copper/SFP+
Up to 500Mbps 2 Gbps
50/100/200/500Mbps 500M/1G/2Gbps
Single 1+1
NetXplorer
DM
NetXplorer
SMP
DM DDoS Secure
ClearSee
11
ACG-500 Features
12
13
M1 M2
L1 L2 L3 L4
Int1 Ext1 Int2 Ext2
iDRAC
14
Here we see the rear view of the ACG-500, where we will connect links to the
network as well as management links.
On the left, we have a monitor connector for initial configuration. Next you see the
iDRAC port, used to connect the iDRAC Remote Management system to the network.
The USB ports are used to connect the ACG-500 to the bypass unit. Use the dedicated
bypass cable you received with the ACG platform.
M1 and M2 management ports located above the USB ports.
ACG-500 is connected to network by PCIe card (P1) with 4 Ethernet network
interfaces.
Both management and network interfaces are 1GbE copper NICs.
ACG-500 server contains one built in power supply module which is located on the
right side of the server.
ACG-2000 Features
15
Network Status
LED
System ID Button
and LED
16
L1 L2 L3 L4
Int1 Ext1 Int2 Ext2 M1 M2
17
Here we see the rear view of the ACG-2000, where we will connect links to the
network as well as management links.
On the left, there is only one PCIe card (P1) with 4 Ethernet network interfaces used
for Network connection. This could be 1GbE Copper or 1/10GbE Fiber NICs.
Below we can see the USB ports, used to connect the ACG-2000 to the bypass unit.
Use the dedicated bypass cable you received with the ACG-2000.
Skip over to the right, and you see the iLO port, used to connect the iLO Remote
Management system to the network.
M1 and M2 management ports which are 1G copper. From these management ports
the administrator can connect and manage the SG-VE and all Management platforms
that are installed on this server.
Skip over to the right, and we have a monitor connector for initial configuration and
troubleshooting. (optional).
ACG-2000 server contains two built in power supply modules and a dual line feed for
redundancy purposes.
• Centralized Management
18
SSG-200/400 Features
Throughput:
Interfaces:
SSG-200 1Gbps
8 x 1GE
SSG-400 8Gbps
19
Power ON Button & LED Health LED NIC Status LED UID button/LED
• Solid green - System ON • Solid green – System is normal • Solid green - Link to network • Solid blue - Activated
• Flashing green - iLO is rebooting • Flashing green - Network active • Off - Deactivated
• Flashing green - Powering Up
• Flashing amber - System degraded • Off - No network activity
• Solid Amber - System in • Flashing red - System critical
Standby
• OFF - No Power
• USB ports – not in use 20
The SSG-200/400 front panel is the same for all configuration types. There are two
LEDs that are also act as buttons (Power Button/LED and UID Button/LED) and two
indication LEDs (Health LED and NIC status LED. The USB Connectors on the front
panel of the SSG-200/400 currently are not in use.
P1
P2
M1&M2
Management Ports
(1G Copper)
21
Here we see the rear view of the SSG200/400, where we will connect links to the
network as well as management links.
On the left, there are 4 x 1G Ethernet network interfaces on each of the 2 PCIe cards
(P1 and P2) used for Network connection via RJ45 Copper interfaces.
Below the P1 NIC cards, we can see the USB ports, used to connect the SSG200/400
to the bypass unit. Use the dedicated bypass cable you received with the
SSG200/400.
Skip over to the right, and you see the iLO port, used to connect the iLO system to the
network.
Next we have M1 and M2, the default management ports. They are 1G ports. Skip
over to the right, and we have a monitor connector for initial configuration and
troubleshooting. (optional).
At the right side of the server we can see the power supply.
SSG-500/600 Features
Throughput:
Interfaces:
SSG-500 8Gbps
16 x 1GE / 10GE
SSG-600 40Gbps
Lenovo
2U 19" Rack Mount
ThinkSystem SR550
22
• Power ON Button & LED • UID button/LED (Visually locate the server)
• Solid green – System ON • Each time you press the system ID button or use the Lenovo XClarity
• Blinking – System Initializing Controller remote management program, the LED would be lighted
• OFF – No Power in BLUE to assist in visually locating the server among other servers.
• Off = Deactivated
23
P1
P2 P4
P3
Here we see the rear view of the SSG-500/600, where we will connect links to the
network as well as management links.
At the left side of the server we can see XCC port, is used to connect the XCC remote
management system to the Network. Next to the XCC port there are two
management 1G ports M1 and M2. M2 acts as a redundant port for M1. You can
connect monitor to the Monitor port if needed. To the right of the monitor port we
can see the USB Ports, used to connect the SSG-500/600 to the Bypass unit. Use the
dedicated bypass cable you received with the SSG-500/600. At the right side of the
server we can see the 2 power supplies.
On the upper side of the server we see 4 PCIe cards with 4 network ports on each
card, giving totally 16 network ports for the device. You can connect 10GE links as
well as 1GE links. Each PCIe card has two paired internal and external ports. We will
review NIC configuration when we discuss connecting SSG-500/600 to the network.
• Centralized Management
25
SG-9100 Features
Throughput: Interfaces:
50Gbps 16 x 1GE / 10GE
Lenovo
2U 19" Rack Mount
ThinkSystem SR550
26
• Power ON Button & LED • UID button/LED (Visually locate the server)
• Solid green – System ON • Each time you press the system ID button or use the Lenovo XClarity
• Blinking – System Initializing Controller remote management program, the LED would be lighted
• OFF – No Power in BLUE to assist in visually locating the server among other servers.
• Off = Deactivated
27
P1
USB Port are for BYPASS ONLY.
P2 P4
Do NOT connect keyboard or
P3 mouse to them!
28
Here we see the rear view of the SG-9100, where we will connect links to the
network as well as management links.
At the left side of the server we can see XCC port, is used to connect the XCC remote
management system to the Network. Next to the XCC port there are two
management 1G ports M1 and M2. M2 acts as a redundant port for M1. You can
connect monitor to the Monitor port if needed. To the right of the monitor port we
can see the USB Ports, used to connect the SG-9100 to the Bypass unit. Use the
dedicated bypass cable you received with the SG-9100. At the right side of the server
we can see the 2 power supplies.
On the upper side of the server we see 4 PCIe cards with 4 network ports on each
card, giving totally 16 network ports for the device. You can connect 10GE links as
well as 1GE links. Each PCIe card has two paired internal and external ports. We will
review NIC configuration when we discuss connecting SG-9100 to the network.
SG-9500 Features
Throughput: Interfaces:
4 x 100GE
140Gbps 8 x 1GE / 10GE
29
Power
Button/LED
Health
LED
NIC Status
LED
UID
Button/LED
Power ON Button & LED Health LED NIC Status LED UID button/LED
• Solid green - System ON • Solid green – System is normal • Solid green - Link to network • Flashing blue:
• Flashing green - iLO is rebooting • Flashing green - Network active • 1 Hz - remote management or
• Flashing green - System firmware upgrade in progress
performing power on • Flashing amber - System degraded • Off - No network activity
• 4 Hz - iLO manual reboot
• Solid Amber - System in • Flashing red - System critical initiated
Standby • 8 Hz - iLO manual reboot in
progress
• OFF - No Power
• Off - Deactivated 30
Here we have a front view of the SG-9500. SG-9500 comes with a covering panel. We
have removed it here to be able to have a clear front view of the server.
At the left part of the server we can see the dual fan intakes. Next to that we have
two 120GB SSD drives.
On the right we see system LEDs. There are 4 LEDs to indicate on (From top to
bottom): power, system status, links activity and UID status (remote connectivity to
the server). LEDs can be seen with or without the cover.
The USB Connectors on the front panel of the SG-9500 currently are not in use.
SG-9500
Configuration A: 24 x 1/10GE
Network Ports (24)
1G/10G
P1 P4
P2 P5
P3 P6
SG-9500
Configuration B: 4 x 100GE + 8 x 1/10GE Ports
Network Ports (4) Network Ports (8)
100G 1G/10G
(Network traffic only - not available (Network traffic, steering
for steering or Asymmetry) or Asymmetry)
P1 P4
P2 P5
NETWORK & STEERING LINKS (P1 – P6): There are 4 x 100G Ethernet network
interfaces, 2 on each PCIe cards installed in slots P2 and P5 used for Network traffic
only (not available for steering or Asymmetry), which can support 100G QSFP28 fiber
interfaces. In addition there are 8 x 1G/10G Ethernet network interfaces, 4 on each
PCIe cards installed in slots P1 and P4 that can be used for Network traffic Steering,
Network Traffic or Asymmetry traffic and which support 1/10G SFP+ fiber interfaces
or 1G RJ45 Copper interfaces.
Different kinds of transceivers (Copper, 1G Fiber and 10G Fiber) may be mixed on a
single 1G/10G NIC card.
SG-9700 Features
Interfaces:
Throughput: 40 x 10GE
250Gbps 8 x 100GE + 8 x 1/10GE
4 x 100GE + 24 x 1/10GE
33
One of the members of the Service Gateway 9000 Series is an Intel-based appliance,
the SG-9700, which provides high throughput and a high density. The SG-9700 is
available in three different configurations. Configuration A features 40 x 1/10G ports,
Configuration B features 8 x 100G ports and 8 x 1/10G ports while Configuration C
features 4 x 100G ports and 24 x 1/10G ports. It based on HP DL380 Gen10 server
with 2U 19" Rack Mount.
Power
Button/LED
Health
LED
NIC Status
LED
UID
Button/LED
Power ON Button & LED Health LED NIC Status LED UID button/LED
• Solid green - System ON • Solid green – System is normal • Solid green - Link to network • Flashing blue:
• Flashing green - iLO is rebooting • Flashing green - Network active • 1 Hz - remote management or
• Flashing green - System firmware upgrade in progress
performing power on • Flashing amber - System degraded • Off - No network activity
• 4 Hz - iLO manual reboot
• Solid Amber - System in • Flashing red - System critical initiated
Standby • 8 Hz - iLO manual reboot in
progress
• OFF - No Power
• Off - Deactivated 34
Here we have a front view of the SG-9500. SG-9500 comes with a covering panel. We
have removed it here to be able to have a clear front view of the server.
At the left part of the server we can see the dual fan intakes. Next to that we have
two 120GB SSD drives.
On the right we see system LEDs. There are 4 LEDs to indicate on (From top to
bottom): power, system status, links activity and UID status (remote connectivity to
the server). LEDs can be seen with or without the cover.
The USB Connectors on the front panel of the SG-9500 currently are not in use.
SG-9700
Configuration A: 40 x 10GE
Network Ports:
2x40G QSFP+ on each PCIe card
P1 P4 P7
Here we see the rear view of the SG-9700 Configuration A. Here we will connect links
to the network as well as management links.
All other bottom ports are used for management connections:
M1 and M2 are the default management ports. They are 1G copper ports.
Alternatively, you can connect to M3 and M4, which are 10G fiber ports.
Next to M1 you can find the iLO port. The iLO system is a standard component of the
SG-9700 that simplifies initial server setup, server health monitoring, power and
thermal optimization, and remote server administration.
USB ports are used to connect the SG-9700 to the bypass unit. Use the dedicated
bypass cable you received with the SG-9700.
At the right side of the server we can see the 2 power supplies. Next to them, to the
right, we have a monitor connector for initial configuration and troubleshooting.
10G NETWORK LINKS (P1 – P8): There are 2 40G QSFP+ Ethernet network interfaces
on each of 6 PCIe cards used for Network traffic, steering or Asymmetry. These are
then split into 4 x 10G interfaces each using fan-out cables. Thus P1, P2, P4, P5 and
P7 – each carries 8 x 10G interfaces.
SG-9700
Configuration B: 8x100GE + 8x1/10GE
Network Ports (8) Network Ports (8)
100G 1G/10G
(Network traffic only - not available (Network traffic, steering or
for steering or Asymmetry) Asymmetry)
P1 P4 P7
P2 P5 P8
There are 2 x 100G Ethernet network interfaces on each of the 4 PCIe cards (P1, P2,
P4 and P5, Slots 3 and 6 are not in use) used for Network traffic only (not available for
steering or Asymmetry), which can support 100G QSFP28 fiber interfaces.
The 1G/10G interfaces can support 1G/10G SFP+ fiber or 1G RJ45 Copper interfaces
and may be used for Steering, Network Traffic or Asymmetry traffic.
SG-9700
Configuration C: 4 x 100GE + 24 x 1/10GE
Network Ports (4) Network Ports (24)
100G 1G/10G
(Network traffic only - not available (Network traffic, steering
for steering or Asymmetry) or Asymmetry)
P1 P4 P7
P2 P5 P8
P3 P6
NETWORK & STEERING LINKS (P1 – P8): There are 4 x 100G Ethernet network
interfaces, 2 on each PCIe cards installed in slots P2 and P5 used for Network traffic
only (not available for steering or Asymmetry), which can support 100G QSFP28 fiber
interfaces. In addition there are 24 x 1G/10G Ethernet network interfaces, 4 on each
PCIe cards installed in slots P1, P3, P4, P6, P7 and P8 used for Network traffic
Steering, Network Traffic or Asymmetry traffic and which support 1/10G SFP+ fiber
interfaces.
It is possible for the 100G interfaces of Configuration C to be installed with PSM-4
Transceivers (MTP-MTP, SM Only). This requires an HD 4 PSM-4 Bypass unit as well.
For more information, contact Allot Customer Support.
• Centralized Management
38
In this module, we will introduce you to the Allot Enterprise Platform. By the end of
this module, you will:
▪ Be familiar with the main functions of the platform
▪ Know how to differentiate between the different models and how to decide which
model is suitable for you
▪ Understand the factors to take into consideration when deciding where in a
network to place the products
▪ Be familiar with the Management Modules installed on the Allot Gateway
Manager
39
• Allot Centralized Management is a stand alone server that is hosting Allot Virtual
Management Modules, such as: NetXplorer, Data Mediator, ClearSee, DDoS
Secure, WebSafe Personal Central Manager and SMP. Some of the modules are
mandatory and some of them are optional.
• The modules come preloaded, and the user needs to configure the network
connection to them. Some features require additional license.
• The server is HP DL360 and it is 1U high chassis
• The Allot Gateway Manager supports up to 20,000 users and up to 4 Service
Gateways.
• In order to see detailed information regarding the Hardware, Bios, operating
system, AOS version and much more, use the “getinfo” command from the “root”.
• Allot Gateway Manager is offered to Enterprise Customers only!
AGM Modules
AGM
Host
Mandatory Module
NX DM CS DSC SMP
Optional Module
40
Network Status
LED
System ID Button
and LED
41
M1 M2
• Allot Gateway Manager has no connections for traffic, so the ports of the rear
panel is mostly used for the management of the unit.
• iLO Port is used to connect the iLO system to the Network.
• Management Ports are used for system monitoring and maintenance. M2 acts as a
redundant port for M1.
• The Gateway Manager contains two built in power supply modules and a dual line
feed for Redundancy purposes.
• All other ports are not in use.
NetXplorer
(NX)
• Policy Creation
• Hierarchical Rule-Based policy
• Classification by service, host, time,
encapsulation, interface etc.
• Actions such as Access Control, QoS,
Steering, ToS marking etc.
Allot NetXplorer provides control over all the aspects of the SG, providing centralized
visibility that is accessible to multiple clients and designed to manage a globally
dispersed network infrastructure. One GUI provides centralized control of key Allot
solution elements, including the SG itself, the User Management Platform (SMP), the
Data Mediator and ClearSee.
• Data Mediator
• Performs ETL (Extract, Transform, Load)
functions
• Can be used in isolation for export of
streaming data records
• ClearSee
• Data Warehouse based on Vertica DWH
• Cutting BI Front End based on
Microstrategy BI
• Comes with “Network Metrics” license
for all basic canned reports
Data Mediator is a mediation element that collects data records from the SG and
prepares them for upload to the ClearSee, which is the reporting and analytics heart
of the SG.
Allot ClearSee collects raw data from the SG appliances as well as control plane
elements from the SMP (Subscriber/User Management Platform) and employs a
cutting-edge data warehouse designed for fast look-up, processing, and export. The
data warehouse features a columnar structure and uses massive parallel processing
(MPP) to handle big data with extreme efficiency.
• Anti-DDoS
• Identify and mitigate network anomalies
• Ensures Network stability
• Protect against computing resources misuse
• Anti-Abuse (Botnet)
• Identify and isolate abusive User behavior
• Dynamic internal blacklist
• Protect IP reputation / avoid DNS
blacklisting
More details in
CDSA Course
Allot’s DDoS Secure Controller integrates protection against bots infiltrating client
devices and DDoS attacks into one package. The DSC works round-the-clock to
protect the network and notify the administrator of any malicious activities.
Allot’s Enterprise solution utilizes user awareness and user-based policy management
provided by Allot SMP.
SMP works with an Active Directory Adaptor to integrate with the Enterprise Active
Directory system. This gives the SSG/SG user-level awareness by enabling it to map
each user to their allocated IP in the enterprise network. In addition, SMP gives the
system visibility of the user group or groups defined for each employee in the
enterprise active directory. You can then configure different control policies based on
different enterprise user groups.
and Hypervisor
• Pay careful attention to minimum
requirements and specs
Physical Srv
x86 IBM
DELL
HP
CISCO
47
If you opt not to utilize the Allot Gateway Manager, the Virtual Management Modules
may be downloaded and installed on your own hardware over either a KVM or
VMware virtual environment.
AGM HW Requirements
VDISK (GB)
- Disk 1: for OS(system) and DB VCPU RAM (GB)
- Disk 2: for Application
NX 120+350 8 16
DM 120+200 8 16
CS 120+400 10 32
DSC 120+100 8 16
SMP 120+100 8 16
48
For Software-Only installations please make sure that your hardware comply with
requirements regarding operating system, networking and hard drive settings for
each module you want to be installed on your Gateway Manager server.
Review Question
Maximum Number
of Connections ?
2M ?
2.25M ?
80M
Number of Ports ?4 ?8 ?
24
Maximum 2 8 140
Throughput ?
Gbps ?
Gbps ?
Gbps
49
Review Question
50
What is unique about ACG family among all other Allot Platforms?
51