a A10 Thunder AB Kerwores Configuration The following sections describe how to enable SYN-cookie support and configure advanced features, Enabling SYN-cookie Support Depending on the AX model, you can use hardware-based SYN cookies or software-hased SYN cookies: + Hardware-based SYN cookies can be globally enabled and apply to all virtual server ports configured on the device. Hardware-based SYN cookies are available on Thunder Series models Thunder 6430S, Thun- der 6430, and Thunder 54308; and on AX Series models AX 2200, AX 2200-11, AX 3100, AX 3200, AX 3200-11, AX 3200-12, AX 3400, AX 5100, AX 5200, and AX 5200-11 + Software-based SYN cookies can be enabled on individual virtual ports This version of the feature is available on all AX models. (Applies only to software releases that support SLB.) Notes + Hardware-based SYN cookies are a faster, easier-to-configure alterna- tive to the software-based SYN cookie feature available on all AX plat- forms. If your AX model supports hardware-based SYN cookies, A10 ‘Networks recommends that you use the hardware-based version of the feature instead of the software-based version of the feature If both hardware-based and software-based SYN cookies are enabled, only hardware-based SYN cookies are used. You can leave software~ based SYN cookies enabled but they are not used, If Application Delivery Partitioning (ADP) is configured, hardware- based SYN cookies apply to all partitions. The feature is not partition- aware. + Ifthe target VIP is in a different subnet from the client-side router, use of hardware-based SYN cookies requires some additional configuration, See “Configuration with Target VIP and Client-side Router in Different Subnets” on page 86. + Software-based SYN cookies are supported only in software releases that support SLB. | s4oftez | Carry Customer Driven Innovation Document No.: D-030-01-00-0060 - ACOS 2.7.1 8/5/2013- A10 Thunder AB Kerwores Usine THE GUI FPGA Models 1, Select Config Mode > SLB > Service > Global > Settings. 2. Select Enabled next to SYN Cookie. In the On Threshold field, enter the maximum number of concurrent half-open TCP connections allowed on the ACOS device, before SYN cookies are enabled. 4, In the Off Threshold field, enter the minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled. 5. Click OK. Non-FPGA Models 1, Select Config Mode > SLB > Service > Server. 2. Select Virtual Server on the menu bar. 3. Click on an existing virtual server name or click Add. 4, Enter or edit the information in the General section. 5. In the Port section, select the TCP port and click Edit, or click Add. 6. Ifyou are configuring a new port, select TCP in the Type drop-down list. 7. Select Enabled next to SYN Cookie. 8. Enter or edit other values as needed for your configuration. 9. Click OK. 10. Click OK again to save the new or changed virtual server. ‘Customer Driven Innovation EE Carry Document No.: D-030-01-00-0060 - ACOS 2.7.1 8/5/2013A10 Thunder AB Kerwores USING THE CLI FPGA Models To enable hardware-based SYN cookies on ACOS models that feature FPGAs, use the following command at the global configuration level: [no] syn-cookie [on-threshold num off-threshold num] ‘The command in the following example enables dynamic-based SYN cook- ies when the number of concurrent half-open TCP connections exceeds 50000, and disables SYN cookies when the number falls below 30000: AX (config) #syn-cookie on-threshold 50000 off-threshold 30000 Non-FPGA Models To enable software-based SYN cookies, use the following command at the virtual-port level: [no] syn-cookie Configuration with Target VIP and Client-side Router in Different Subnets Usually, the target VIP in an SLB configuration is in the same subnet as the client-side router. However, ifthe target VIP is in a different subnet from the client-side router, use of hardware-based SYN cookies requires some addi- tional configuration: + On the ACOS device, configure a “dummy” VIP that is in the same sub- net as the client-side router, + On the client-side router, configure a static route to the VIP, using the dummy VIP as the next hop. Figure 14 shows an example.