Description                                                    Enable hardware-based SYN cookies, which protect against TCP SYN flood attacks.

Syntax                                                                  [no] syn-cookie enable [on-threshold num off-threshold num]



on-threshold num

Maximum number of concurrent half-open TCP connections allowed on the ACOS device, before SYN cookies are enabled. If the number of half-open TCP connections exceeds the on-threshold, the ACOS device enables SYN cookies. You can specify 0-2147483647 half-open connections.

off-threshold num

Minimum number of concurrent half-open TCP connections for which to keep SYN cookies enabled. If the number of half-open TCP connections falls below this level, SYN cookies are disabled. You can specify 0-2147483647 half-open connec­tions.

NOTE:                                                                   It may take up to 10 milliseconds for the ACOS device to detect and respond to crossover of either threshold.

Default                                                                Hardware-based SYN cookies are disabled by default. When the feature is enabled, there are no default settings for the on and off thresholds.

Mode                                                                   Configuration mode

Usage                                                                  Hardware-based SYN cookies are available only on some models.

If both hardware-based and software-based SYN cookies are enabled, only hardware-based SYN cookies are used. You can leave software-based SYN cookies enabled but they are not used. (Software-based SYN cookies are enabled at the virtual port level using the syn-cookie enable command.)

If you omit the on-threshold and off-threshold options, SYN cookies are enabled and are always on regardless of the number of half-open TCP connections present on the ACOS device.

This command globally enables SYN cookie support for SLB and also enables SYN cookie support for Layer 2/3 traffic. No additional configuration is required for SLB SYN cookie support. However, to use Layer 2/3 SYN cookie support, you also must enable it at the configuration level for individual interfaces. See the “ip tcp syn-cookie threshold” command in the Network Configuration Guide.

If L3V partitions are configured, hardware-based SYN cookies must be enabled per individual partition. Hardware-based SYN cookies are NOT partition-aware.

On FTA models only, it is recommended not to use hardware-based SYN cookies if DSR also is enabled. If both features are enabled, a client who sends TCP requests to a VIP that is configured for DSR will receive two SYN-ACKS, one from the ACOS hardware-based SYN-cookie feature, and the other from the server. This can be confusing to a client because the client expects only one SYN-ACK in reply to the client’s SYN.

Example                                                            The following command enables hardware-based SYN cookies:

ACOS(config)#syn-cookie enable

The command in the following example configures dynamic SYN cookies when the number of concurrent half-open TCP connections exceeds 50000, and disables SYN cookies when the number falls below 30000:

ACOS(config)#syn-cookie enable on-threshold 50000 off-threshold 30000

Table of Contents