F5 VE - Hardware Acceleration with SmartNIC

Organizations are moving to the software-defined architectures whether it’s for agility, efficiency, reducing total cost of ownership, time to market, etc. BIG-IP VE provides that advanced functionality but in a virtualized form that can be run using commercial hypervisors on Common Off-The-Shelf (COTS) servers. The COTS trades-off in flexibility which comes primarily at the cost of performance. However, there are examples which are more efficiently in hardware such as DDoS mitigation, SYN Cookies, whitelisting, QinQ Tunneling, cryptographic processing, etc. All of these things put significant strain on CPU resources.

F5 and Intel - Accelerating Applications Anywhere

What can we do about that if we don’t have the BIG-IP hardware? What’s the solution? One of the things that we can do it’s using a hardware accelerator. There are two solutions. The Intel FPGA PAC N3000 SmartNIC and the Intel QuickAssist Technology (QAT). For the first solution, we need VE + AFM on 15.1.0.4 or higher and, for the second solution, we need VE on 14.1.0.3 or higher.

F5 VE SmartNIC

The SmartNIC from Intel has a FPGA and it can be programmed to perform specific tasks similar to the TurboFlex FPGA profiles that we have in BIG-IP iSeries appliances. For instance, when we have a COTS server with an hypervisor, a BIG-IP VE and a SmartNIC installed, we can boost BIG-IP VE performance easily for DDoS Mitigation. Clients will send good traffic in through the SmartNIC, which goes up through the hypervisor, and VE will deliver the application. However, when we have a bad actor sending some DDoS traffic into the system, AFM has a threshold defined for the amount of identified traffic and it handles the threshold inquiry through the SmarNIC FPGA to detect and ultimately mitigate the DDoS attack via dropping or rate limiting. Therefore, the SmartNIC is going to cut off the DDoS attack. The SmartNIC is able to mitigate a DDoS attack at 70 times greater in magnitude than with a AFM alone.

DDoS Attack Mitigation

The QuickAssist Technology (QAT) is also a hardware accelerator. When we have a COTS server with an hypervisor, a BIG-IP VE and a QuickAssist Technology card installed, we can offload the crypto on the QAT card and, instead of VE doing the decryption, the QAT card is going to do it. We are not only get significant improvement in SSL TPS but also for bulk encryption because it allows about 35% CPU reduction, which allow BIG-IP VE compute resources to handle other things.

Intel QuickAssist  Adapter

Probably, you didn’t know anything about hardware accelerator like these. Me neither. I’ve been speaking with customers who wanted hardware appliances instead of Virtual Edition because hardware were better for encryption and decryption but we can see it’s no longer like this. Thanks to Intel SmartNIC and Intel QuickAssist Technology, we can boost BIG-IP VE performance significantly. As a result, we now can take advantage of flexibility, as well as speed, with BIG-IP VE and SmartNIC.

Thanks my friends!! Would you like to deploy a BIG-IP VE with SmartNIC. I would like it!!