Command Line Interface Reference Guide > The SLB Configuration Menu > /cfg/slb/adv Advanced Layer 4 Configuration
/cfg/slb/adv
Advanced Layer 4 Configuration
 
[Layer 4 Advanced Menu]
    synatk - SYN Attack Detection Menu
    smtport - Service Mapping Table Real Port Menu
    fqdnreal  - FQDN Server Menu
    pps       - PPS per Service and Real Collection Menu
    imask - Set virtual and real IP address mask
    nmask - Set session mask
    mnet - Set management network
    mmask - Set management subnet mask
    pmask - Set persistent mask
    pprefix - Set ipv6 persistent prefix length
    intrval - Set SLB session attack inspection interval
    allowlim - Set SLB session attack alert allowable limit
    mstat - Set measuring period for HTTP related statistics
    ftpdage - Set FTP Data session age
    fparselen - Set buffer length for filter content based classification
proxyage - Set inactive session aging for proxy processing 
    satisrt - Set the application satisfied response time threshold
    servdown - Set traffic behavior in case service is down or disabled
sesscap - Set the capacity of sessions entries
    pipthr    - Set throughput for PIP table utilization
dtcap - Set the size of data table percent of available memory for AX
    submac - Enable/disable Source MAC address substitution
    direct - Enable/disable Direct Access Mode
    spl4hash - Enable/disable L4 hash level for SP selection by hypervisor
    grace - Enable/disable graceful real server failure
    slntcls - Enable/disable silent TCP connection closure
    tso       - Enable/disable TCP segmentation Offload (TSO)
    clrbkp - Enable/Disable clear backup
    matrix - Enable/disable Virtual Matrix Architecture
    vmasport - Enable/disable VMA with source port
    vmadip - Enable/disable VMA with destination IP
    drctrss - Direct Port to NUMA RSS Menu
    hwhash - Set hash level for HW-based core selection
    tpcp - Enable/disable Transparent Proxy Cache Protocol
    vstat - Enable/disable Virtual Service Statistics
    dynaddr - Enable/disable client NAT using dynamic address
    rtsvlan - Enable/disable using VLAN info for real server lookup
    pvlantag - Enable/disable preserving vlan tag during packet forwarding
    vlanbind - Enable/disable Ingress VLAN For Session Table Binding
    portbind - Enable/disable Ingress Port For Session Table Binding
    rstchk - Enable/disable TCP RST Secure Sequence Number Check
    srvckdata - Enable/disable server return data check
    clsrst - Enable/disable Session clear on RST
    subdmac - Enable/disable DMAC substitution
    valcksum - Enable/disable Application Engine Checksum Offloading
    riphash - Enable/disable Include RIP in AUX table hashing
    sessvpt - Enable/disable session VPT update
    sessrts - Enable/disable session rtsrcmac update
    sessdrop - Enable/disable drop client traffic that matches fastage session
    fastage - Session table fast-age (1 sec) period bit shift
    slowage - Session table slow-age (2 min) period bit shift
    millisec - Enable/disable millisecond resolution for timers
    rtsiplkp - Enable/Disable RTS-IP lookup
    vmacbkp - Enable/Disable VMAC use on backup switch
    fmrport - Enable/Disable fine tuning of multi RPORT LB
    nonhttp - Set Non-HTTP traffic behavior for filters
    iptos - Enable/disable IP ToS preservation in Proxy mode for filters
    enhance - Enable/Disable URL string rebind over cookie
    cookieim  - Enable implicit cookie insert mode
preserve - Enable/disable Preserve Port Mode
    pport - Set sequential or random pport selection
    memmng    - Memory Management Menu
    cur - Display current Layer 4 advanced configuration
 
Layer 4 Advanced Menu Options (/cfg/slb/adv) 
Command Syntax and Usage
synatk
 
Displays the SYN Attack Detection menu. To view this menu, see /cfg/slb/adv/synatk SYN Attack Detection Configuration Menu.
smtport
 
Displays Service Mapping Table (SMT) Real Port menu. To view this menu, see /cfg/slb/adv/smtport Advanced SMT Real Server Port Configuration Menu.
Using this menu you can add or remove real server service ports that process client traffic by-passing the server, meaning that this service port’s client request is not processed by the server processor.
Note: Alteon skips the SMT table lookup when DAM is enabled. This ensures that server processing is performed on traffic returning from the server.
fqdnreal
 
Displays the FQDN Server menu. To view this menu, see /cfg/slb/adv/fqdnreal FQDN Server Configuration Menu.
pps
 
Displays the PPS menu. To view this menu, see /cfg/slb/adv/pps PPS Menu.
imask <IP subnet mask (such as 255.255.255.0)>
 
Configures the real and virtual server IP address mask using dotted decimal notation.
Default: 255.255.255.255
nmask <IP subnet mask (such as 255.255.255.0)>
 
A global mask for redirection of filter network binding. This mask has lower priority than the filter source mask (smask) or the destination mask (dmask). In network binding filter redirection, if the filter source mask (smask) or the destination mask (dmask) are not specified, the real server is selected based on the network mask.
Default: 0.0.0.0
mnet <IP address>
 
Typically, network administrators use the management network to monitor real servers and services. By configuring real server direct management access parameters, administrators can access the real services being load balanced.
Defines the source IP addresses allowed direct (non-Layer 4) access to the real servers for administration and monitoring purposes. When this option is not defined, anyone can directly access the servers.
mmask <IP subnet mask (such as 255.255.255.0)>
 
The IP address mask used with the mnet to select management traffic that is allowed direct access to real servers.
Default: 255.255.255.255
pmask <IP subnet mask (such as 255.255.255.0)>
 
Specifies the client IP persistence session mask for the virtual service.
Server persistence ensures that all connections of a specific client session reach the same real server.
Default: 255.255.255.255
pprefix <1-128>
 
Specifies the persistence prefix length for IPv6 clients. The persistence feature ensures that all connections from a specific IPv6 client or client network (prefix) to a certain virtual service are load balanced to the same real server.
Values: 0 – 128
Default: 128
intrval <time window for collecting sessions (0-3600)>
 
Sets the interval in seconds for checking the number of SLB sessions Alteon has received. At the configured interval, Alteon checks if the number of sessions is within the configured limits defined in the allowlim parameter.
Values: 0 – 3600
Default: 0
allowlim <allowable limit (1-1048563)>
 
Sets the maximum number of sessions Alteon can receive at any given period. If the number of sessions exceeds this limit, Alteon generates a syslog message and an SNMP trap to alert the administrator that Alteon is under SLB attack.
Values: 1 – 12,582,834 new sessions
Default: 12,582,834 new sessions
mstat <Statistics measuring period in seconds (1-3600)>
 
Sets the measuring period for acceleration, HTTP, and SSL offloading statistics. The current statistics always show the results of the previous measuring period. Because numbers are updated at the end of every measuring period, a longer period gives better average results but lowers the ability to see real-time monitoring values. Any change in the measuring period value also resets the statistics.
Note: Only enabled objects are shown in the statistics.
Values: 1 – 3600 seconds
Default: 15 seconds
ftpdage (0-5)
 
Sets the timeout value, in seconds, of the FTP data session.
Prevents an FTP data session entry in Active FTP operation mode from timing out before the FTP data SYN packet arrives from the server. In such cases, Alteon forwards the SYN packet to the client using the real server IP.
Values: 0-5
Default: 07
fparselen <buffer length in bytes (0-18200)>
 
Specifies how much content (in bytes) Alteon collects when classifying traffic by content class or AppShape++ script. Relevant only for HTTP content.
Default: 0
proxyage <Session age in seconds (1-86400)>
 
Sets the Application Engine timeout in seconds. This allows sessions to continue in a delayed binding forceproxy environment.
Default: 1800
satisrt <satisfied response time threshold in milliseconds [1-999999]>
 
Sets the global satisfied response time threshold.
You can configure the application satisfied response time threshold globally at /cfg/slb/adv/satistr (default is 500 ms) or locally per service at /cfg/slb/virt/service/satisrt (default is inherit the global setting).
Based on this threshold, Alteon calculates the frustrated threshold as 4 times the satisfied latency threshold. When a transaction response is below the frustrated threshold, its event log will be marked as exception.
sesscap <400|200|100|75|50|25|12>
 
Specifies the percentage of the regular session table size to be allocated for the session table.
When set to below 100 percent, Alteon reduces the size of the session table, freeing memory for more concurrent proxy connections.
When set to above 100 percent, Alteon increases the size of the session table if enough RAM memory is installed in the device.
Full (base) table size (100%) is 2M entries per SP (500K per vADC CU), (except for an Alteon VA with 2 GB RAM where the base is 128K entries).
Default: 50 (25 on Alteon platform 4208)
Note: This change does not take effect unless the configuration is saved and the Alteon device rebooted.
pipthr (0-99)
 
Sets the threshold (percentage) for the PIP table utilization. Alteon sends an alert when the PIP table utilization has passed the specified threshold.
 
Default: 0 (means that there is no alert threshold)
dtcap (0-25)
 
Specifies the percentage of free memory allocated to the Dynamic Data Store.
Default: 10
submac disable|enable
 
Globally enables or disables substituting the client source MAC address with the Alteon MAC address.
By default, in packets destined for servers in a server load balancing environment, the source MAC address is not modified and the client request is forwarded to the server with the MAC address of the client. You can substitute the client source MAC address for the packets going to the server with the Alteon MAC address using source MAC address substitution.
Note: Source MAC address substitution can also be enabled per real service using the command /cfg/slb/real/adv/submac.
Global MAC address substitution supersedes real service MAC address substitution.
Default: disable
direct disable|enable
 
Enables or disables Direct Access Mode.
Direct Access Mode (DAM) allows any client to communicate with any real server’s load balanced service, and any number of virtual services can be configured to load balance a real service.
DAM enables both client and server processing on the same port to handle traffic that requires direct access to real servers.
DAM is necessary for applications such as:
*Direct access to real servers for management or administration.
*One real server serving multiple virtual server IP (VIP) addresses.
*Content-intelligent load balancing, which requires traffic to go to specific real servers based on the inspection of HTTP headers, content identifiers such as URLs and cookies, and the parsing of content requests.
Default: enable
spl4hash disabled|enabled
 
This command only appears in Alteon vADC.
Specifies the parameter used by the hypervisor to perform hashing that selects the SP to which the traffic is sent.
*disabled — Hashing is performed on the source IP address.
*enabled — Hashing is performed on the source IP addresses, and on the source and destination ports.
Default: disabled
grace disable|enable
 
Specifies whether Alteon enables graceful server failure which allows existing sessions to remain bound to a server after the server has been placed in the service failed state.
If all load balanced services supported on a server fail to respond to connection requests within the specified number of attempts, then the server is placed in the server failed state. While in this state, no new connection requests are sent to the server. However, if graceful real server failure is enabled, state information about existing sessions is maintained and traffic associated with existing sessions continues to be sent to the server.
All load balanced services on a server must fail before Alteon places the server in the server failed state.
The server is brought back into service as soon as the first service is proven to be healthy. Additional services are brought online as they are subsequently proven to be healthy.
Values:
*disable — Disables this feature.
If sessdrop is disabled, the session is revived.
If sessdrop is enabled, the session is dropped. For TCP traffic, a session reset is sent.
*enable — Enables this feature.
If sessdrop is either enabled or disabled and server health checking is down, either because the server is down or there is server failure, the session is revived.
If sessdrop is disabled, and if the real server is disabled either through configuration or operationally, the following prompt displays:
Graceful real server failure is enabled, fastage existing sessions? [y/[n]]
*y — The session is revived per the fastage value.
*n — The session is revived per the slowage value.
If sessdrop is enabled, and if the real server is disabled either through configuration or operationally, the following prompt displays:
Graceful real server failure is enabled, fastage existing sessions? [y/[n]]
*y — The session is dropped. For TCP traffic, a session reset is sent.
*n — The session is revived.
Default: disable
tso disabled|enabled
 
TCP segmentation offload (TSO) reduces the CPU overhead of TCP/IP on fast networks by relying on the network interface controller (NIC) to segment the data and then add the TCP, IP, and data link layer protocol headers to each segment. This frees CPU resources for higher data level processing and improves full proxy throughput.
Notes
*TSO is supported on Alteon hardware appliances in standalone mode only. TSO is also supported on VA/NFV form factor.
*A device reset is required when enabling/disabling TSO on VA/NFV.
Default: Disabled on VA platforms, Enabled in standalone mode
slntcls disable|enable
 
This option closes the proxy TCP connection (force proxy mode) to the client or server, depending on the context, without sending any notification.
This is useful in cellular networks where FIN and RST packets that close TCP connections can incur significant energy consumption overhead for handsets.
Default: disable
clrbkp disable|enable
 
Specifies whether to clear or preserve the session entries of the backup server when the primary server resumes the service by returning online and assuming the primary role.
Values:
*disable — Alteon preserves the backup server session entries when the primary server resumes the service, allowing existing sessions to continue on the backup server.
*enable — Alteon clears the backup server session entries when the primary server resumes the service, causing existing sessions on the backup server to fail.
Default: disable
matrix disable|enable
 
Enables or disables the use of Virtual Matrix Architecture (VMA).
Virtual Matrix Architecture (VMA) is a hybrid architecture that takes full advantage of the distributed processing capability in Alteon. With VMA, Alteon makes optimal use of system resources by distributing the workload to multiple processors, which improves performance and increases session capacity. VMA also removes the topology constraints introduced by using Direct Access Mode (DAM).
Default: enable
vmasport enable|disable
 
Specifies whether to enable the Virtual Matrix Architecture source port for workload distribution.
*disable — Alteon determines the processor by its source IP address.
*enable — Alteon determines the processor by its source IP address and source port.
Default: disable
vmadip enable|disable
 
Specifies whether to include the processor destination IP address in VMA.
Default: disable
drctrss
 
Default: disable
hwhash <l3|l4>
 
This command only appears in Alteon VA and standalone.
Specifies the parameter used by the switch to perform hashing that selects the CPU core/SP to which the traffic is sent.
*l3 — Hashing is performed on the source and destination IP addresses.
*l4 — Hashing is performed on the source and destination IP addresses, and on the source and destination ports.
Note: On Alteon 5208 platforms, hwhash L4 is supported only on 10 G ports, not on 1G ports.
Default: l3
tpcp disable|enable
 
Enables or disables the TPCP (Transparent Proxy Cache Protocol).
TPCP is used for WAP load balancing when server selection is performed by the RADIUS server. The RADIUS server uses TPCP to configure static session entries on Alteon, ensuring it forwards each WAP session to the selected server.
A static session entry added via TPCP to Alteon does not age out. The entry is only deleted by another TPCP Delete Session request.
Default: disable
vstat disable|enable
 
Specifies whether to enable reporting of virtual service statistics.
Default: enable
dynaddr
 
Specifies whether to perform source NAT using dynamic NAT Address (an address learned from the traffic).
The address used for the next hop (NAT) must appear in the session table, as for a regular proxy IP address, and must be mirrored per regular session table mirroring.
Alteon does not respond to ARP requests to these dynamic NAT addresses and does not provide high availability failover for these addresses.
Default: disable
The extraction of the IP address and NAT is performed using the global snat AppShape++ command. For more information, see the Alteon AppShape™++ Reference Guide.
rtsvlan disable|enable
 
Specifies whether to use MAC address and VLAN information, or MAC address only, when looking up responses from the real server in the session table.
The Return to Sender (RTS) option enables Alteon to look up responses from the real server in the session table.
When you enable RTS, Alteon associates the session with the MAC address of the WAN router. This ensures that the returning traffic takes the same ISP path as the incoming traffic. RTS is enabled on the incoming WAN ports (port 2 and 7) to maintain persistence for the returning traffic. Data leaves Alteon from the same WAN link that it used to enter, thus maintaining persistence.
You can also use a VLAN for RTS information on the real server, and include the IP address in the session table look-up.
Default: disable
pvlantag
 
Enables or disables preserving VLAN tags during packet forwarding.
Default: enable
portbind disable|enable
 
Specifies whether or not to include the Alteon ingress port number in the session table lookup.
Default: enable
Note: Disable this option when using asymmetric Layer 2 configurations with session mirroring.
vlanbind disable|enable
 
Specifies whether or not to include the VLAN number in the session table lookup (for cases where UDP source ports are identical to destination ports, such as for NTP or SIP).
Default: disable
rstchk disable|enable
 
Enables or disables the TCP RST secure sequence number check.
srvckdata disable|enable
 
Enables or disables the server return data check.
Default: disable
clsrst disable|enable
 
Specifies how to close the server-side connection when client terminates the session.
Note: This option is only relevant when full proxy mode (forceproxy) is disabled.
Values:
*disable—When Alteon receives an RST message from the client, it closes the session using fastage.
*enable—When Alteon receives an RST message from the client, it closes the session immediately.
Default: enable
subdmac disable|enable
 
Globally enables or disables substituting the original destination MAC address with the server MAC address.
Values: Enable, Disable
Default: enable
valcksum disable|enable
 
Default: disable
riphash disable|enable
 
Enables or disables including RIP in AUX table hashing.
sessvpt
 
Enables or disables updating session VPTs.
sessrts
 
Enables or disables session rtsrcmac updates.
Values:
*disable—Alteon does not update the saved MAC address (rtsrcmac) in the session entry.
*enable—Alteon updates rtsrcmac of the session. It updates the saved MAC address in the session entry based on GARP (Gratuitous ARP) that was received.
Default: disable
sessdrop disable|enable
 
Specifies whether Alteon drops client traffic that matches the existing session in fastage.
Values:
*disable — Disables this feature.
If grace is disabled, the session is revived.
If grace is enabled and server health checking is down, either because the server is down or there is a server failure, the session is revived.
If grace is enabled, and the real server is disabled, either through configuration or operationally, the following prompt displays:
Graceful real server failure is enabled, fastage existing sessions? [y/[n]]
*y — The session is revived per the fastage value.
*n — The session is revived per the slowage value.
*enable — Enables this feature.
If grace is disabled, the session is dropped. For TCP traffic, a session reset is sent.
If grace is enabled and server health checking is down, either because the server is down or there is a server failure, the session is revived.
If grace is enabled, and the real server is disabled either through configuration or operationally, the following prompt displays:
Graceful real server failure is enabled, fastage existing sessions? [y/[n]]
*y — The session is dropped. For TCP traffic, a session reset is sent.
*n — The session is revived.
Default: disable
fastage <shift the fast-age (xsec) period 0-7 bits>
 
The interval, in seconds, at which Alteon completes a full scan of the session table and removes all entries marked for fastage — TCP and UDP sessions that have been closed with a TCP FIN flag, and sessions that have been identified by the slowage scan as idle for the maximum allowed period.
The fastage scan removes TCP and UDP sessions that have been closed with a TCP FIN flag, and sessions that have been identified by the slowage scan as idle for the maximum allowed period. If a large fastage value is defined, a session can remain in the session table for several minutes. Each incremental increase of the scan frequency doubles the length of the interval between scans.
Note: This command is relevant for non-proxied connections only. When the dbind option for a service is set to forceproxy, connections are aged immediately.
Default: 0 (2 seconds)
slowage <shift the slow-age (x min) period 0-14 bits>
 
The interval, in minutes, after which Alteon marks idle or non-TCP sessions for fastage.
The slowage scan removes idle or non-TCP sessions from the session table at the specified intervals. If a large slowage value is defined, a session can remain in the session table for months. Each incremental increase of the scan frequency doubles the length of the interval between scans.
Default: 0 (2 minutes)
millisec
 
Enables or disables millisecond resolution for timers.
rtsiplkp enabled|disabled
 
Establishes a Return to Sender (RTS) session when the server is the source and more than one IP address is assigned to the single NIC on the server.
When more than one IP address is bound to the server NIC, and RTS is enabled on the server port, Alteon establishes an RTS session with one of the IP addresses as the real server.
If this option is disabled and you remove this IP address from the server NIC, a new RTS session can be established with the remaining IP addresses only after rebooting Alteon.
When this option is enabled, no reboot is required.
Values:
*disabled — All RTS sessions are bound to the same IP address. Lookup in the real MAC address table uses a MAC address only.
*enabled — Each RTS session is bound to a separate IP address. Lookup in the real MAC address table uses a source IP address and a MAC address.
Default: disabled
vmacbkp
 
Enables or disables VMAC substitution on the backup Alteon.
*disable — The virtual server router MAC address is used only by the primary Alteon as the source MAC address. The backup Alteon uses its own MAC address as the source MAC address.
*enable — The virtual server router MAC address is used by both the primary and backup Alteon platforms as the source MAC address.
Default: disable
fmrport enable|disable
 
Enables or disables the fine tuning of session load balancing according to the number of rports on a real server.
Values:
*enable — Alteon takes into account the number of rports configured when selecting the real server to bind to so that the session distribution is even.
*disable — Alteon selects the real server to bind to without considering how many rports are configured on the real server.
Default: disable
enhance <enable|disable>
 
Enables or disables the optimization of a rebind cookie over a URL string.
Values:
*enable — Rebinding occurs when there is a match with a received cookie, but not with a Layer 7 URL SLB string.
*disable — Rebinding occurs when there is a match with a Layer 7 URL SLB string.
Default: disable
cookieim <d|e>
 
Enables or disables implicit cookie insert mode.
Implicit Cookie Insert Mode is designed for Active-Active environments where all Alteon devices actively process traffic without any HA configuration between them to achieve selection of same server (persistency) on all Alteon devices. When enabled, Alteon does not add a persistent entry to the session table, rather it performs a mathematical hash on the real server’s parameters. As long as the SLB configuration is the same on all cluster members, it guarantees selection of the same real server on all cluster members.
Values:
*d (disable) — Implicit cookie insert mode disabled. An Alteon device that is configured with pbind cookie insert generates a random cookie value without taking into account the real server’s specific configuration, and persistency is guaranteed by the persistent entry in the session table. If this entry is aged out or does not exist on this device, no persistency can be achieved.
*e (enable) — Implicit cookie insert mode enabled. An Alteon device that is configured with pbind cookie insert generates a cookie value based on the specific hash using the real server’s parameters, and persistency is guaranteed based only on the hash. In this case, no session table entry is needed, and therefore no timeout can occur.
Default: disable
preserve <enabled|disabled>
 
When using Alteon as a relay agent, maintains a session when Alteon forwards a request to a server on one port, and the server responds as being on a different port.
For example, when Alteon listens on port 67, and the server responds as being on port 68.
Default: disabled
mactome <enabled|disabled>
 
Globally enables or disables filtering by destination MAC address.
The mactome matching condition is met when the destination MAC address belongs to Alteon.
For a mactome match to be checked, mactome must be enabled both globally, and on the filter under /cfg/slb/filt/adv.
*enabled — When the destination MAC address matches a MAC address owned by Alteon, and mactome is also enabled on the filter, the mactome match is checked.
When the destination MAC address matches a MAC address owned by Alteon, but mactome is disabled on the filter, the mactome match is not checked.
*disabled — mactome matching is not checked.
Default: disabled
pport <sequential|random>
 
Sets the client NAT port assignment algorithm on a vADC.
Values:
*sequential — Minimizes the probability of fast port reuse but increases the potential for security vulnerability.
*random — More secure than sequential but increases the probability of fast port reuse.
Default: sequential
Notes:
*When you change the client NAT port algorithm, Alteon warns you that this change will clear the session table. If you confirm that you want to continue, Alteon clears the session table after you apply the new client port algorithm.
*On Alteon VA and standalone Alteon, client NAT port assignment uses an enhanced random mode that also minimizes the probability of fast port reuse. 
memmng
 
Displays the Memory Management menu. To view this menu, see /cfg/slb/adv/memmng Memory Management Menu.
cur
 
Displays the current Layer 4 advanced configuration.