On certain F5® FPGA platforms, you can enable hardware SYN cookie protection per VLAN instead of per virtual server.
Configuring SYN cookie protection per VLAN avoids potential collisions within the FPGA programmable hardware. Such collisions can result in the BIG-IP® software handling all SYN cookie protection, causing performance degradation as CPU usage increases beyond normal levels.
Without collisions, hardware and software continue to work collaboratively to mitigate the attack, which ultimately prevents performance degradation on the system.
If the BIG-IP hardware supports VLAN-based SYN cookie protection, you first configure the feature on one or more individual VLANs. Then you enable a global setting within BIG-IP Local Traffic Manager (LTM), Hardware VLAN SYN Cookie Protection. This global setting enables the feature on all VLANs on which you configured the feature.
In general, the global setting allows you to quickly and easily enable and disable the feature on all relevant VLANs, rather than you having to re-configure every VLAN when you want to enable or disable the feature for those VLANs.
When you disable the global Hardware VLAN SYN Cookie Protection setting, the system switches back to enabling SYN Check activation (with SYN cookie protection) on a per-virtual server basis.
To configure VLAN-based hardware SYN cookie protection, you must configure some settings on each VLAN that you want the BIG-IP® system to protect, and then globally enable the feature within BIG-IP® Local Traffic Manager™ (LTM).
VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You can modify a VLAN to configure hardware SYN cookie protection for that VLAN. You configure hardware SYN cookie protection on a VLAN when you want to protect the VLAN from SYN flood attacks.
When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
To configure VLAN-based hardware SYN cookie protection, you use the TMOS Shell (tmsh) to configure some settings on each VLAN that you want the BIG-IP® system to protect. You then globally enable the feature within BIG-IP Local Traffic Manager™ (LTM).
You can use the TMOS Shell (tmsh) to configure the global hardware VLAN SYN cookie settings on a VLAN.
You can use the TMOS Shell (tmsh) to globally enable or disable the hardware VLAN-based SYN cookie feature on your system.
This table lists the platforms that support hardware SYN cookie protection.
|Platform name||Platform ID|
|BIG-IP® 5000 Series||C109|
|BIG-IP 7000 Series||D110|
|BIG-IP 10000 Series||D113|
|BIG-IP 12000 Series||D111|
|BIG-IP i5000 Series||C119|
|BIG-IP i7000 Series||C118|
|BIG-IP i10000 Series||C116|
|VIPRION® B2100 Blade||A109|
|VIPRION B2150 Blade||A113|
|VIPRION B2250 Blade||A112|
|VIPRION B4300 Blade||A108|
|VIPRION B4340N Blade||A110|
|VIPRION B4450 Blade||A114|