Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

53-1002436-01

27 January 2012

DRAFT: BROCADE CONFIDENTIAL

ServerIron ADX

Firewall Load Balancing Guide

Supporting Brocade ServerIron ADX version 12.4.00

Summary of content (188 pages)

PAGE 1
DRAFT: BROCADE CONFIDENTIAL 53-1002436-01 27 January 2012 ServerIron ADX Firewall Load Balancing Guide Supporting Brocade ServerIron ADX version 12.4.
PAGE 2
DRAFT: BROCADE CONFIDENTIAL © 2011 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, the B-wing symbol, BigIron, DCFM, DCX, Fabric OS, FastIron, IronView, NetIron, SAN Health, ServerIron, TurboIron, and Wingspan are registered trademarks, and Brocade Assurance, Brocade NET Health, Brocade One, Extraordinary Networks, MyBrocade, VCS, and VDX are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries.
PAGE 3
DRAFT: BROCADE CONFIDENTIAL Contents About This Document In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Supported hardware and software . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x Text formatting . . . . . . . . . . . . . . . . . .
PAGE 4
DRAFT: BROCADE CONFIDENTIAL Chapter 2 Configuring Basic FWLB In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Configuring basic Layer 3 FWLB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Configuration guidelines. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Configuring basic Layer 3 FWLB . . . . . . . . . . . . . . . . . . . . . . . . . 18 Configuration example for basic Layer 3 FWLB . . . . . . . . . . . . . .
PAGE 5
DRAFT: BROCADE CONFIDENTIAL Chapter 4 Configuring Multizone FWLB In this chapter . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Zone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Configuring basic multizone FWLB . . . . . . . . . . . . . . . . . . . . . . . . . . 72 Configuration example for basic multizone FWLB . . . . . . . . . . . . . . 74 Commands on ServerIron ADX Zone1-SI . . . . . . . . . . . . . . . . . .
PAGE 6
DRAFT: BROCADE CONFIDENTIAL Configuration example for IronClad FWLB with Layer 3 NAT firewalls . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .129 Commands on active ServerIron ADX A (external active) . . . .129 Commands on standby ServerIron ADX A (external standby) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .132 Commands on active ServerIron ADX B (internal active) . . . .133 Chapter 6 Configuring FWLB and SLB In this chapter . . . . . . . .
PAGE 7
DRAFT: BROCADE CONFIDENTIAL Appendix A Additional Firewall Configurations In this appendix . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .165 Configuring FWLB for firewalls with active-standby NICs . . . . . . . .165 Configuring for active-standby firewall links. . . . . . . . . . . . . . .167 Customizing path health checks . . . . . . . . . . . . . . . . . . . . . . . . . . .169 Changing the maximum number of Layer 3 path health-check retries . . . . . . . . . . . . . .
PAGE 8
DRAFT: BROCADE CONFIDENTIAL About This Document In this chapter • Audience. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Supported hardware and software. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Document conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Notice to the reader . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 9
DRAFT: BROCADE CONFIDENTIAL Document conventions This section describes text formatting conventions and important notice formats used in this document.
PAGE 10
DRAFT: BROCADE CONFIDENTIAL Notes, cautions, and danger notices The following notices and statements are used in this manual. They are listed below in order of increasing severity of potential hazards. NOTE A note provides a tip, guidance, or advice, emphasizes important information, or provides a reference to related information. CAUTION A Caution statement alerts you to situations that can be potentially hazardous to you or cause damage to hardware, firmware, software, or data.
PAGE 11
DRAFT: BROCADE CONFIDENTIAL Related publications The following Brocade documents supplement the information in this guide: • • • • • • • • • • Release Notes for ServerIron Switch and Router Software TrafficWorks 12.2.
PAGE 12
DRAFT: BROCADE CONFIDENTIAL Chapter ServerIron FWLB Overview 1 In this chapter • Understanding ServerIron FWLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 • Basic FWLB topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 • HA FWLB topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12 • Multizone FWLB topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 13
DRAFT: BROCADE CONFIDENTIAL 1 Understanding ServerIron FWLB TABLE 1 Commands affected by IPv6 Command Definition/Example [no] server fw-name Use this command to configure an IPv6 firewall. ServerIronADX(config)# server fw-name ip6fw1 1113::2 ServerIronADX(config-rs-ip6fw1)# end ServerIronADX(config)# server fw-name ip6fw2 1113::3 ServerIronADX(config-rs-ip6fw2)# end For more information, refer to “Defining the firewalls and adding them to the firewall group” on page 18.
PAGE 14
DRAFT: BROCADE CONFIDENTIAL Understanding ServerIron FWLB TABLE 1 1 Commands affected by IPv6 Command Definition/Example [no] show fw-health-check-stats Use this command to display firewall group health check statistics. ServerIronADX 3018# show fw-health-check-stats For more information, refer to “Displaying firewall health check policy statistics” on page 9. [no] debug fwlb ipv6 health-check Use these commands to debug a firewall group health check.
PAGE 15
DRAFT: BROCADE CONFIDENTIAL 1 Understanding ServerIron FWLB Dynamic route environments ServerIrons in IronClad (high-availability) configurations automatically block Layer 3 route traffic at the backup ServerIron to avoid loops, thus simplifying configuration in these environments. Refer to “Router paths” on page 13. Static route environments Firewalls in static route environments have static or default routes, as do the external (Internet) and internal routers.
PAGE 16
DRAFT: BROCADE CONFIDENTIAL Understanding ServerIron FWLB FIGURE 1 1 Example of FWLB paths Internet Router Path 5 SI-A SI-B Layer 3 Firewall-1 Layer 3 Firewall-2 Path 2 Path 1 Path 3 SI-C Path 4 SI-D Internal Router This example shows the following paths: • • • • • Path 1—ServerIron ADX A through Firewall 1 to ServerIron C Path 2—ServerIron ADX A through Firewall 2 to ServerIron C Path 3—ServerIron ADX A through Firewall 1 to ServerIron D Path 4—ServerIron ADX A through Firewall 2 to Server
PAGE 17
DRAFT: BROCADE CONFIDENTIAL 1 Understanding ServerIron FWLB Firewall selection Once a ServerIron ADX has selected a firewall for a given traffic flow (source-destination pair of IP addresses), the ServerIron ADX uses the same firewall for subsequent traffic in the same flow. For example (using IPv4 addresses), if the ServerIron ADX selects firewall FW1 for the first packet the ServerIron ADX receives with source address 1.1.1.1 and destination address 2.2.2.
PAGE 18
DRAFT: BROCADE CONFIDENTIAL Understanding ServerIron FWLB 1 Stateful FWLB A ServerIron ADX performs stateful FWLB by creating and using session entries for source and destination traffic flows and associating each flow with a specific firewall.
PAGE 19
DRAFT: BROCADE CONFIDENTIAL 1 Understanding ServerIron FWLB Path health checks One of the required FWLB parameters is a separate path from the ServerIron through each firewall to each of the ServerIrons on the other side of the firewall. A path to the ServerIron’s gateway router also is required. By default, the ServerIron ADX performs a Layer 3 health check of each firewall and router path by sending an ICMP ping packet on each path.
PAGE 20
DRAFT: BROCADE CONFIDENTIAL Understanding ServerIron FWLB 1 The ServerIron performs the Layer 4 TCP and UDP health checks as follows: • TCP health check – The ServerIron ADX checks the TCP port’s health based on a TCP three-way handshake: - The ServerIron ADX sends a TCP SYN packet to the port on the firewall. The ServerIron ADX expects the firewall to respond with a SYN ACK. If the ServerIron ADX receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port is alive.
PAGE 21
DRAFT: BROCADE CONFIDENTIAL 1 Understanding ServerIron FWLB Syntax: show fw-health-check-stats Table 2 displays the firewall health check statistics. TABLE 2 Health-check policy statistics Field Description Requests Sent The number of health check packets sent. Replies Received The number of replies received. Requests Received The number of requests received. Open Failed The number of times the ServerIron ADX failed to open a connection.
PAGE 22
DRAFT: BROCADE CONFIDENTIAL Basic FWLB topology 1 Basic FWLB topology You can configure basic FWLB by deploying one ServerIron ADX on the enterprise side of the firewalls and another ServerIron ADX on the Internet side of the firewalls. A basic FWLB topology uses two ServerIron ADXs to load balance traffic across Layer 3 firewalls. The firewalls can be synchronous or asynchronous. In the basic configuration, one ServerIron ADX connects to all the firewalls on the private network side.
PAGE 23
DRAFT: BROCADE CONFIDENTIAL 1 HA FWLB topology HA FWLB topology For high availability (HA), you can deploy pairs of ServerIron ADXs in active-active configurations on each side of the firewalls. In an active-active configuration, both ServerIrons in a high-availability pair actively load balance FWLB traffic. Active-active operation provides redundancy in case a ServerIron ADX becomes unavailable, while enhancing performance by using both ServerIron ADXs to process and forward traffic.
PAGE 24
DRAFT: BROCADE CONFIDENTIAL HA FWLB topology 1 Failover In active-active FWLB, if one of the ServerIron ADXs becomes unavailable, the other ServerIron ADX takes over for the unavailable ServerIron ADX. The ServerIron ADXs uses the following parameter to manage failover: ServerIron ADX priority – You can specify a priority from 0 through 255 on each ServerIron ADX. The ServerIron ADX with the higher priority is the default active ServerIron ADX. Specifying the priority is required.
PAGE 25
DRAFT: BROCADE CONFIDENTIAL 1 Multizone FWLB topology Multizone FWLB topology NOTE Multizone FWLB topology is only available for IPv4 address formats. Figure 4 shows an example of Multizone basic FWLB. FIGURE 4 Multizone basic FWLB External Router Zone 1 SI-A Layer 3 Firewall-1 Layer 3 Firewall-2 SI-C SI-B Zone 2 Internal Router Zone 3 DMZ Router Figure 5 shows an example of Multizone HA FWLB.
PAGE 26
DRAFT: BROCADE CONFIDENTIAL 1 Multizone FWLB topology FIGURE 5 Multizone HA FWLB External Router Zone 1 SI-B SI-A Layer 3 Firewall-1 Layer 3 Firewall-2 SI-D SI-C SI-F SI-E Zone 2 Zone 3 Internal Router DMZ Router FWLB configuration limits Table 3 contains the FWLB configuration limits supported by the ServerIron.
PAGE 27
DRAFT: BROCADE CONFIDENTIAL 1 16 Multizone FWLB topology ServerIron ADX Firewall Load Balancing Guide 53-1002436-01
PAGE 28
DRAFT: BROCADE CONFIDENTIAL Chapter 2 Configuring Basic FWLB In this chapter • Configuring basic Layer 3 FWLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration example for basic Layer 3 FWLB. . . . . . . . . . . . . . . . . . . . . . . • Configuration examples with Layer 3 routing support . . . . . . . . . . . . . . . . .
PAGE 29
DRAFT: BROCADE CONFIDENTIAL 2 Configuration guidelines • You must configure a separate path on each ServerIron ADX for each firewall. The paths ensure that firewall traffic with a given pair of source and destination IP addresses flows through the same firewall each time. Thus, the paths reduce firewall overhead by eliminating unnecessary revalidations. NOTE Path configuration is required for all load balancing configurations, whether the firewalls are synchronous or asynchronous.
PAGE 30
DRAFT: BROCADE CONFIDENTIAL Configuration guidelines 2 Commands for ServerIron ADX B (internal) ServerIron ServerIron ServerIron ServerIron ServerIron ServerIron ServerIron ADX(config)# server fw-name FW1-IPout 209.157.23.1 ADX(config-rs-FW1-IPout)# exit ADX(config)# server fw-name FW2-IPout 209.157.23.
PAGE 31
DRAFT: BROCADE CONFIDENTIAL 2 Configuration guidelines Syntax: [no] fw-name Adds a configured firewall to the firewall group. Configuring the paths and adding static MAC entries A path is configuration information the ServerIron ADX uses to ensure that a given source and destination IP pair is always authenticated by the same Layer 3 firewall. Each path consists of the following parameters: • The path ID – A number that identifies the path.
PAGE 32
DRAFT: BROCADE CONFIDENTIAL Configuration guidelines 2 NOTE For many configurations, static MAC entries are required. Where required, you must add a static MAC entry for each firewall interface with the ServerIron ADX. The FWLB configuration examples in this guide indicate whether static MAC entries are required. To configure the paths and static MAC entries for the configuration shown in Figure 2 on page 11, enter the following commands.
PAGE 33
DRAFT: BROCADE CONFIDENTIAL 2 Configuration example for basic Layer 3 FWLB The parameter specifies the IPv4 address of the ServerIron ADX on the other side of the firewall. The parameter specifies the IPv4 address of the firewall connected to this ServerIron ADX. The parameter specifies the IPv6 address of the ServerIron ADX on the other side of the firewall. The parameter specifies the IPv6 address of the firewall connected to this ServerIron ADX.
PAGE 34
DRAFT: BROCADE CONFIDENTIAL Configuration example for basic Layer 3 FWLB 2 The following commands configure parameters for firewall group (group 2 for IPv4 addresses). The fwall-info commands configure the paths for the firewall traffic. Each path consists of a path ID, the ServerIron ADX port attached to the firewall, the IP address of the ServerIron ADX at the other end of the path, and the next-hop IP address (usually the firewall interface connected to this ServerIron ADX).
PAGE 35
DRAFT: BROCADE CONFIDENTIAL 2 Configuration example for basic Layer 3 FWLB ServerIron ADXB(config-fw-2)# fwall-info 1 1 209.157.22.2 209.157.23.1 ServerIron ADXB(config-fw-2)# fwall-info 2 2 209.157.22.2 209.157.23.2 ServerIron ADXB(config-fw-2)# exit ServerIronADXB(config)# vlan 1 ServerIron ADXB(config-vlan-1)# static-mac-address abcd.4321.34e2 ethernet 1 priority 1 router-type ServerIron ADXB(config-vlan-1)# static-mac-address abcd.4321.
PAGE 36
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing support 2 Configuration examples with Layer 3 routing support This section shows examples of commonly used ServerIron ADX basic FWLB deployments with Layer 3 configurations. The ServerIron ADXs in these examples perform Layer 3 routing in addition to Layer 2 and Layer 4–7 switching.
PAGE 37
DRAFT: BROCADE CONFIDENTIAL 2 Configuration examples with Layer 3 routing support IPv4 example for FWLB with one sub-net and one virtual routing interface The following sections show the CLI commands for configuring the basic FWLB implementation in Figure 6. FIGURE 6 Basic IPv4 FWLB in one subnet Client IP:10.10.1.15 Gtwy: 10.10.1.111 or 10.10.1.5 Port4/3 SI-A External ServerIron Port4/2 Port4/1 IP:10.10.1.5 MAC: 00.80.c8.b9.ab.a9 IP:10.10.1.6 MAC: 00.80.c8.b9.91.09 VLAN1 Virtual Interface: 10.
PAGE 38
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing support 2 The following command configures an IP default route. The first two "0.0.0.0" portions of the address are the IP address and network mask. Always specify zeroes when configuring an IP default route. The third value is the IP address of the next-hop gateway for the default route. In most cases, you can specify the IP address of one of the firewalls as the next hop.
PAGE 39
DRAFT: BROCADE CONFIDENTIAL 2 Configuration examples with Layer 3 routing support SI-External(config)# vlan 1 SI-External(config-vlan-1)# static-mac-address 0080.c8b9.aba9 ethernet 4/1 priority 1 router-type SI-External(config-vlan-1)# static-mac-address 0080.c8b9.9109 ethernet 4/2 priority 1 router-type SI-External(config-vlan-1)# exit The following command saves the configuration changes to the startup-config file.
PAGE 40
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing support 2 IPv6 example for FWLB with one sub-net and one virtual routing interface The following sections show the CLI commands for configuring the basic IPv6 FWLB implementation in Figure 7. FIGURE 7 Basic IPv6 FWLB in one subnet External Router External ServerIron SI-A IP:1111::1 IP:1111::2 Port5 Port8 IP:1112::2 MAC: 00.80.c8.b9.ab.a9 External Network Port9 IP:1112::1 IP:1112::3 MAC: 00.80.c8.b9.91.
PAGE 41
DRAFT: BROCADE CONFIDENTIAL 2 Configuration examples with Layer 3 routing support SI-External(config)# vlan 1 SI-External(config-vlan-1)# static-mac-address 0080.c8b9.aba9 ethernet 4/1 priority 1 router-type SI-External(config-vlan-1)# static-mac-address 0080.c8b9.
PAGE 42
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing support 2 Basic FWLB with multiple sub-nets and multiple virtual routing interfaces Figure 8 (IPv4) and Figure 8 (IPv6) show an example of a basic FWLB configuration in which multiple IP sub-net interfaces are configured on each ServerIron ADX. On each ServerIron ADX, the client or server is in one sub-net and the firewalls are in another sub-net. The ports connected to the firewalls are configured in a separate port-based VLAN.
PAGE 43
DRAFT: BROCADE CONFIDENTIAL 2 Configuration examples with Layer 3 routing support Commands on the external ServerIron ADX The following commands change the CLI to the global CONFIG level, and then change the host name to "SI-External". ServerIron ADX> enable ServerIron ADX# configure terminal ServerIron ADX(config)# hostname SI-External The following commands configure virtual routing interface 1, which is connected to the firewalls.
PAGE 44
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing support 2 The following commands add the paths through the firewalls to the other ServerIron ADX. Each path consists of a path number, a ServerIron ADX port number, the IP address at the other end of the path, and the next-hop IP address. In this example, the topology does not contain routers other than the ServerIron ADXs. If your topology contains other routers, configure firewall paths for the routers too.
PAGE 45
DRAFT: BROCADE CONFIDENTIAL 2 Configuration examples with Layer 3 routing support IPv6 example for FWLB with multiple sub-nets and virtual routing interfaces The following sections show the CLI commands for configuring the basic IPv6 FWLB implementation in Figure 8.
PAGE 46
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing support 2 SI-External(config)# server fw-name ip6fw1 1113::2 SI-External(config-rs-fw1)# port http SI-External(config-rs-fw1)# exit SI-External(config)# server fw-name ip6fw2 1113::3 SI-External(config-rs-fw2)# port http SI-External(config-rs-fw2)# exit SI-External(config)# server fw-group 4 ipv6 SI-External(config-fw-4)# fw-name ip6fw1 SI-External(config-fw-4)# fw-name ip6fw2 SI-External(config-fw-4)# fwall-info 1 8 1113::1 1112::2 S
PAGE 47
DRAFT: BROCADE CONFIDENTIAL 2 36 Configuration examples with Layer 3 routing support ServerIron ADX Firewall Load Balancing Guide 53-1002436-01
PAGE 48
DRAFT: BROCADE CONFIDENTIAL Chapter 3 Configuring HA FWLB In this chapter • Understanding ServerIron FWLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring HA active-active FWLB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring active-active HA FWLB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring active-active HA FWLB with VRRP . . . . . . . . . . . . . . . . . . . . . . .
PAGE 49
DRAFT: BROCADE CONFIDENTIAL 3 Understanding ServerIron FWLB Session limits To avoid overloading a firewall, the ServerIron ADX does not forward a packet to a firewall if either of the following conditions exists: • The firewall already has the maximum allowed number of open sessions with the ServerIron ADX. An open session is represented by a session entry. By default, a firewall can have up to two million session entries on the ServerIron ADX.
PAGE 50
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 Configuring HA active-active FWLB This section contains the following sections: • • • • • • • • • • • • • • • • • • • • “Overview of active-active FWLB” on page 39 “HA FWLB configuration guidelines” on page 40 “Configuring the management IP address and default gateway” on page 42 “Configuring the firewall port” on page 42 “Configuring the partner port” on page 43 “Configuring the additional data link (the always-active link)” on page 43 “Co
PAGE 51
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB FIGURE 10 HA FWLB for Layer 3 firewalls Client 10.10.6.22 Client 10.10.6.23 VRRP External Router A External Router B VRRP Address 10.10.1.101 Port4/12 ServerIron SI-Ext-A 10.10.1.111 Default Gateway 10.10.1.101 Synchronization Link Trunk Ports 4/13-4/14 SI-A Port4/1 FW1 IP: 10.10.1.1 MAC: 00.50.da.8d.52.18 ServerIron SI-Ext-B 10.10.1.112 Default Gateway 10.10.1.
PAGE 52
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 • You must use the server partner-ports command to identify the data path from a peer ServerIron ADX in HA. • Do not combine FWLB with Layer 7 content switching features. The FWLB+TCS combination is also not supported. In this example, clients access the application servers on the private network through one of two routers, each of which is connected to a ServerIron ADX.
PAGE 53
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB TABLE 5 Active-active FWLB configuration tasks (Continued) Task Reference Configure firewall group parameters Change the load balancing method from least connections to least connections per application (optional) page 47 Enable the active-active mode page 48 Configure the paths and add static MAC entries for the firewall interfaces with the ServerIron ADX page 48 Configure the ServerIron ADX to drop traffic when the firewall has r
PAGE 54
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 Configuring the partner port Use the partner-ports command to configure the data link between the ServerIron and its active-active partner. You must use the server partner-ports command to specify all data links with the partner. To specify the partner port, enter the following command. NOTE Do not use the partner-ports command for the synchronization link.
PAGE 55
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB Configuring the router port NOTE Do not configure the router-port in an active-active FWLB. Router-port configuration is a trigger (Router-cnt) that changes the FWLB status without the active-active HA configuration. High-availability FWLB configurations require that you identify the ports on the ServerIron ADX that are attached to the routers. To identify the router port, enter the following command.
PAGE 56
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 The parameter can be a number from 1 through 65535 or one of the following well-known port names: • dns – port 53 • ftp – port 21 (Ports 20 and 21 are FTP ports but in the ServerIron ADX, the name “ftp” corresponds to port 21.
PAGE 57
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB Changing the maximum number of sessions To change the maximum number of sessions the firewall can have on the high-availability pair of ServerIron ADXs, enter the following command. ServerIronADX(config-rs-FW1)# max-conn 145000 Syntax: [no] max-conn The variable specifies the maximum and can be from 1 through 2,000,000. This maximum applies to both the ServerIron ADX and its high-availability partner.
PAGE 58
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 Adding the firewalls to the firewall group To add the firewalls to the firewall group, enter the following commands. ServerIronADX(config)# server fw-group-2 ServerIronADX(config-fw-2)# fw-name FW1 ServerIronADX(config-fw-2)# fw-name FW2 Syntax: server fw-group 2 | 4 This command changes the CLI to the firewall group configuration level. The IPv4 address format firewall group number is 2. The IPv6 address format firewall group number is 4.
PAGE 59
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB Hashing load balance metric in FWLB You configure the fw-predictor hash command under the firewall group. When this command is configured, firewall selection is based on hashing of IP addresses (and ports optionally). The packet will be dropped if hashing picks a firewall and if either of the following is true: • The maximum number of sessions (max-conn command) is reached for that firewall.
PAGE 60
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 • The other ServerIron ADX’s IP address – The management address of the ServerIron ADX on the other side of the firewall. • The next-hop IP address – The IP address of the firewall interface connected to this ServerIron ADX. NOTE FWLB paths must be fully meshed. When you configure a FWLB path on a ServerIron ADX, make sure you also configure a reciprocal path on the ServerIron ADX attached to the other end of the firewalls.
PAGE 61
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB To configure the static MAC address entries for ServerIron ADX SI-Ext-A in Figure 10, enter the following commands. ServerIronADX(config-fw-2)# vlan 1 ServerIronADX(config-vlan-1)# static-mac-address 0050.da92.08fc ethernet 4/5 priority 1 router-type ServerIronADX(config-vlan-1)# static-mac-address 0050.da8d.
PAGE 62
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 Syntax: [no] server fw-strict-sec The feature applies globally to all TCP traffic received for FWLB. Complete CLI example The following sections show the CLI commands for configuring the ServerIron ADXs in Figure 10. Commands on ServerIron ADX SI-Ext-A The following commands add a management IP address and default gateway address to the ServerIron ADX.
PAGE 63
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB The following commands configure the firewalls and add them to the firewall group. Because an application port is configured on each firewall, the ServerIron ADX will use Layer 4 sessions to load balance the firewall traffic for that application. The ServerIron ADX will use Layer 3 sessions to load balance traffic for other applications. SI-Ext-A(config)# server fw-name FW1 10.10.1.
PAGE 64
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 Commands on ServerIron ADX SI-Ext-B ServerIronADX> enable ServerIronADX# configure terminal ServerIronADX(config)# hostname SI-Ext-B SI-Ext-B(config)# ip address 10.10.1.112 255.255.255.0 SI-Ext-B(config)# ip default-gateway 10.10.1.
PAGE 65
DRAFT: BROCADE CONFIDENTIAL 3 Configuring HA active-active FWLB Commands on ServerIron ADX SI-Int-A ServerIronADX> enable ServerIronADX# configure terminal ServerIronADX(config)# hostname SI-Int-A SI-Int-A(config)# ip address 10.10.2.222 255.255.255.0 SI-Int-A(config)# ip default-gateway 10.10.2.
PAGE 66
DRAFT: BROCADE CONFIDENTIAL Configuring HA active-active FWLB 3 Commands on ServerIron ADX SI-Int-B ServerIronADX> enable ServerIronADX# configure terminal ServerIronADX(config)# hostname SI-Int-B SI-Int-B(config)# ip address 10.10.2.223 255.255.255.0 SI-Int-B(config)# ip default-gateway 10.10.2.
PAGE 67
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB Configuring active-active HA FWLB The following configuration and diagram is example of active-active FWLB. FIGURE 11 Active-active FWLB topology Client 1 30.30.1.1/16 External Router 1 Client 10.10.6.23 External Router 2 100.100.100.2/24 100.100.100.1/24 20.20.1.120/24 20.20.8.120/24 Synch Link Trunk eth 2/7-2/8 20.20.1.0/24 Mgmt IP: Network 20.20.1.111 SI-A Mgmt IP: 20.20.8.111 SI-B 20.20.8.0/24 Network OSPF Area 1 20.20.1.
PAGE 68
DRAFT: BROCADE CONFIDENTIAL Configuring active-active HA FWLB 3 • In the topology presented in this section, IP addresses of firewalls are different on each ServerIron ADX. Use the other-ip command under the firewall configuration level to identify the partner ServerIron ADX’s firewall address. Syntax: [no] other-ip | NOTE IPv4 and IPv6 address formats cannot be mixed. Addresses must be entered in the same format.
PAGE 69
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB SI-StandbyA(config-rs-FW4)# server fw-group 2 SI-StandbyA(config-fw-2)# l2-fwall SI-StandbyA(config-fw-2)# sym-priority 250 SI-StandbyA(config-fw-2)# fw-name fw1 SI-StandbyA(config-fw-2)# fw-name fw2 SI-StandbyA(config-fw-2)# fw-name fw3 SI-StandbyA(config-fw-2)# fw-name fw4 SI-StandbyA(config-fw-2)# fwall-info 1 3/1 10.10.2.222 20.20.1.1 SI-StandbyA(config-fw-2)# fwall-info 2 3/2 10.10.2.222 20.20.1.
PAGE 70
DRAFT: BROCADE CONFIDENTIAL Configuring active-active HA FWLB SI-StandbyB(config)#server fw-name fw2 20.20.8.2 SI-StandbyB(config-rs-FW2)# other-ip 20.20.1.2 SI-StandbyB(config-rs-FW2)# port http SI-StandbyB(config-rs-FW2)# port http no-health-check SI-StandbyB(config-rs-FW2)# port http url "HEAD /" SI-StandbyB(config-rs-FW2)# exit SI-StandbyB(config)# server fw-name fw3 20.20.8.3 SI-StandbyB(config-rs-FW3)# other-ip 20.20.1.
PAGE 71
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB Internal ServerIron ADX C (Int-SI-C) Configuration SI-ActiveC(config)# trunk switch ethe 2/5 to 2/6 SI-ActiveC(config)# server fw-port 2/5 SI-ActiveC(config)# server partner-ports ethernet 4/5 SI-ActiveC(config)# server router-ports ethernet 2/1 SI-ActiveC(config)# server fw-name fw1 10.10.2.1 SI-ActiveC(config-rs-FW1)# other-ip 10.10.8.
PAGE 72
DRAFT: BROCADE CONFIDENTIAL Configuring active-active HA FWLB 3 priority 1 router-type SI-ActiveC(config-vlan-1)# static-mac-address 0004.80eb.5294 ethernet 3/4 priority 1 router-type SI-ActiveC(config-vlan-1)# exit SI-ActiveC(config)# vlan 999 by port SI-ActiveC(config-vlan-999)# untagged ethe 2/5 to 2/8 SI-ActiveC(config-vlan-999)# no spanning-tree SI-ActiveC(config-vlan-999)# exit SI-ActiveC(config)# hostname Int-SI-C SI-ActiveC(config)# ip address 10.10.2.222 255.255.255.
PAGE 73
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB with VRRP SI-ActiveD(config-fw-2)# fwall-info 7 3/3 20.20.1.111 10.10.8.3 SI-ActiveD(config-fw-2)# fwall-info 8 3/4 20.20.1.111 10.10.8.4 SI-ActiveD(config-fw-2)# fwall-info 9 2/1 10.10.8.120 10.10.8.
PAGE 74
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB with VRRP FIGURE 12 Active-active FWLB with VRRP Client 10.10.6.99 10.10.6.2 Layer 2 Switch Port 4/12 10.10.6.112 Port 4/12 10.10.6.111 VRRP VRID 1 10.10.6.111 ServerIron SI-Ext-A VLAN 1 VE 1: 10.10.1.111 Trunk Ports 3/5-3/6 SI-A Port4/1 VRRP VRID 1 10.10.6.111 Synchronization Link Trunk Ports 3/5-3/6 Port3/1 Port3/1 Additional Data Link IP: 10.10.1.1 MAC: 00e0.5201.0426 SI-B ServerIron SI-Ext-B VLAN 1 VE 1: 10.10.1.
PAGE 75
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB with VRRP The following command configures an IP default route. The next hop for this route is the ServerIron ADX’s interface with firewall FW1. SI-Ext-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.1.1 The following commands configure port-based VLAN 2, which will contain the port on which VRRP VRID 1 (10.10.6.111) is configured.
PAGE 76
DRAFT: BROCADE CONFIDENTIAL Configuring active-active HA FWLB with VRRP 3 The following command enables the active-active mode. SI-Ext-A(config-fw-2)# sym-priority 255 NOTE Do not use the same number on both ServerIron ADXs. For example, enter sym-priority 1 on one of the ServerIron ADXs and sym-priority 255 on the other ServerIron ADX. The following commands add the paths through the firewalls to the other ServerIron ADX.
PAGE 77
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB with VRRP The following commands configure the VRRP parameters. The address indicated by the ip-address command (10.10.6.111) is the address that will be backed up by VRRP. Because this ServerIron ADX is the owner of the backed-up address, the address is configured on the port (this port owns the address) and the address is assigned to the VRID. On external ServerIron ADX B, the VRID will be configured as a backup for 10.10.6.111.
PAGE 78
DRAFT: BROCADE CONFIDENTIAL Configuring active-active HA FWLB with VRRP 3 SI-Ext-B(config-fw-2)# sym-priority 1 SI-Ext-B(config-fw-2)# fwall-info 1 3/1 10.10.2.222 10.10.1.1 SI-Ext-B(config-fw-2)# fwall-info 2 4/1 10.10.2.222 10.10.1.2 SI-Ext-B(config-fw-2)# fwall-info 3 3/1 10.10.2.223 10.10.1.1 SI-Ext-B(config-fw-2)# fwall-info 4 4/1 10.10.2.223 10.10.1.
PAGE 79
DRAFT: BROCADE CONFIDENTIAL 3 Configuring active-active HA FWLB with VRRP SI-Int-A(config)# interface ve 1 SI-Int-A(config-ve-1)# ip address 10.10.2.222 255.255.255.0 SI-Int-A(config-ve-1)# exit SI-Int-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.2.
PAGE 80
DRAFT: BROCADE CONFIDENTIAL Configuring active-active HA FWLB with VRRP 3 SI-Int-B(config)# server fw-name fw1 10.10.2.1 SI-Int-B(config-rs-fw1)# port http SI-Int-B(config-rs-fw1)# port http no-health-check SI-Int-B(config-rs-fw1)# exit SI-Int-B(config)# server fw-name fw2 10.10.2.
PAGE 81
DRAFT: BROCADE CONFIDENTIAL 3 70 Configuring active-active HA FWLB with VRRP ServerIron ADX Firewall Load Balancing Guide 53-1002436-01
PAGE 82
DRAFT: BROCADE CONFIDENTIAL Chapter 4 Configuring Multizone FWLB In this chapter • Zone configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring basic multizone FWLB. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration example for basic multizone FWLB. . . . . . . . . . . . . . . . . . . . . • Configuring highly-availability multizone FWLB . . . . . . . . . . . . . . . . . . . . . . .
PAGE 83
DRAFT: BROCADE CONFIDENTIAL 4 Configuring basic multizone FWLB • On the DMZ ServerIron ADXs, configure zone definitions for the zones in the internal network and other DMZs, if applicable. • On the internal ServerIron ADXs, configure zone definitions for the zones in the DMZs, and other internal networks, if applicable. Generally, each ServerIron ADX should contain definitions for two less zones than the total number of zones in the network.
PAGE 84
DRAFT: BROCADE CONFIDENTIAL Configuring basic multizone FWLB FIGURE 13 4 Basic multizone FWLB configuration WAN Router Internet Note: When undefined, Zone 1 contains all addresses not in the other zones. 209.157.24.250/24 Zone 1 Port5 SI-1 209.157.24.13/24 Port1 Port16 209.157.24.1/24 209.157.24.254/24 FW1 FW2 209.157.23.1/24 209.157.25.254/24 209.157.23.254/24 209.157.25.1/24 Port1 Port16 Port16 Port1 SI-3 SI-2 209.157.23.11/24 Port5 209.157.25.15/24 Port5 Zone 2 Zone 3 209.157.
PAGE 85
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for basic multizone FWLB • Configure a standard ACL for each zone that the ServerIron ADX is not a member, except zone 1. The ACLs identify the IP addresses or address ranges in the other zones. If you leave zone 1 undefined, all IP addresses that are not in this ServerIron ADX’s own sub-net and are not members of zones configured on the ServerIron ADX are assumed to be members of zone 1.
PAGE 86
DRAFT: BROCADE CONFIDENTIAL Configuration example for basic multizone FWLB 4 The following command identifies the router port, which is the ServerIron ADX port connected to a router. In the example in Figure 13 on page 73, each ServerIron ADX has one router port. If the link is a trunk group, enter the primary port number. In this example, the router port is port 5. Zone1-SI(config)# server router-ports 5 The following commands add the firewalls.
PAGE 87
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for basic multizone FWLB In this example, the ACL number and zone number are the same, but this is not required. Syntax: [no] fw-name The fw-name command adds the previously configured firewalls to the firewall group. Specify the names you entered when configuring the firewalls for the variable. In this example, the names are “FW1” and “FW2”. The following commands configure the firewall paths.
PAGE 88
DRAFT: BROCADE CONFIDENTIAL Configuration example for basic multizone FWLB 4 Commands on Zone2-SI in zone 2 The following commands configure ServerIron ADX “Zone2-SI” in zone 2 in Figure 13 on page 73. The configuration is similar to the one for Zone1-SI, with the following exceptions: • The management IP address is different. • The default gateway goes to a different interface on FW1. • The paths are different due to the ServerIron ADX’s placement in the network.
PAGE 89
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for basic multizone FWLB Commands on Zone3-SI in zone 3 The following commands configure ServerIron ADX “Zone3-SI” in zone 3 in Figure 13 on page 73. The configuration is similar to the ones for the other ServerIron ADXs, with the following exceptions: • • • • The management IP address is different. The default gateway goes to an interface on FW2. The paths are different due to the ServerIron ADX’s placement in the network.
PAGE 90
DRAFT: BROCADE CONFIDENTIAL Configuring highly-availability multizone FWLB 4 Configuring highly-availability multizone FWLB Figure 14 on page 79 shows an example of a high-availability multizone FWLB configuration. This example has the same zones as the basic example in Figure 13 on page 73, but in the high-availability configuration, each zone contains a pair of active-standby ServerIron ADXs instead of a single ServerIron ADX.
PAGE 91
DRAFT: BROCADE CONFIDENTIAL 4 Configuring highly-availability multizone FWLB To configure ServerIron ADXs for IronClad multizone FWLB, perform the following tasks: • Configure global system parameters. These parameters include the ServerIron ADX IP address and default gateway. You also need to globally disable the Spanning Tree Protocol (STP). Disabling STP is required for this configuration.
PAGE 92
DRAFT: BROCADE CONFIDENTIAL Configuration example for a high-availability multizone FWLB 4 Failover algorithm ServerIron ADXs in high-availability multizone FWLB configurations use the following criteria for failover: • Connection to zones – If one ServerIron ADX in an active-standby ServerIron ADX has connectivity to more zones than the other ServerIron ADX, the ServerIron ADX with connectivity to more zones is the active ServerIron ADX.
PAGE 93
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for a high-availability multizone FWLB The following commands identify the port for the link to the other ServerIron ADX. If the link is a trunk group, enter the primary port number. In this example, the link is a trunk group made of ports 9 and 10, but you only need to specify port 9, the trunk group’s primary port.
PAGE 94
DRAFT: BROCADE CONFIDENTIAL Configuration example for a high-availability multizone FWLB 4 Using the l2-fwall and always-active commands allows you to simplify the network topology while still obtaining the benefits of the IronClad (high-availability) configuration. Use the following commands to enable the always-active option in the default VLAN (VLAN 1). You enable the L2-fwall option when you configure firewall group parameters (see the following example).
PAGE 95
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for a high-availability multizone FWLB The fw-name commands add the firewalls. Specify the names you entered when configuring the firewalls. In this example, the names are “FW1” and “FW2”. The l2-fwall command enables the L2-fwall option. This option blocks the Layer 2 traffic on the standby ServerIron ADXs. If you do not enable this mode, Layer 2 traffic can pass through the ServerIron ADXs, causing loops.
PAGE 96
DRAFT: BROCADE CONFIDENTIAL Configuration example for a high-availability multizone FWLB Zone1-SI-A(config-fw-2)# Zone1-SI-A(config-fw-2)# Zone1-SI-A(config-fw-2)# Zone1-SI-A(config-fw-2)# 4 fwall-info 7 16 209.157.25.15 209.157.24.254 fwall-info 8 16 209.157.25.16 209.157.24.254 fwall-info 9 5 209.157.24.250 209.157.24.250 exit Each fwall-info command consists of a path number, a ServerIron ADX port number, the IP address at the other end of the path, and the next-hop IP address.
PAGE 97
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for a high-availability multizone FWLB Commands on Zone1-SI-S in zone 1 The following commands configure ServerIron ADX “Zone1-SI-S” on the right side of zone 1 in Figure 14 on page 79. The configuration is similar to the one for Zone1-SI-A, with the following exceptions: • The management IP address is different. • The default gateway goes to firewall FW2’s interface with the ServerIron ADX.
PAGE 98
DRAFT: BROCADE CONFIDENTIAL Configuration example for a high-availability multizone FWLB 4 Zone1-SI-S(config-vlan-1)# exit Zone1-SI-S(config)# write memory Zone1-SI-S(config)# exit Zone1-SI-S# reload Commands on Zone2-SI-A in zone 2 The following commands configure ServerIron ADX “Zone2-SI-A” on the left side of zone 2 in Figure 14 on page 79. The configuration is similar to the one for the active ServerIron ADX in zone 1, with the following exceptions: • The management IP address is different.
PAGE 99
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for a high-availability multizone FWLB Zone2-SI-A(config)# vlan 1 Zone2-SI-A(config-vlan-1)# static-mac-address abcd.5200.348b ethernet 1 priority 1 router-type Zone2-SI-A(config-vlan-1)# static-mac-address abcd.5200.
PAGE 100
DRAFT: BROCADE CONFIDENTIAL Configuration example for a high-availability multizone FWLB 4 Commands on Zone3-SI-A in zone 3 The following commands configure ServerIron ADX “Zone3-SI-A” on the left side of zone 3 in Figure 14 on page 79. ServerIronADX(config)# hostname Zone3-SI-A Zone3-SI-A(config)# ip address 209.157.23.11 255.255.255.0 Zone3-SI-A(config)# ip default-gateway 209.157.23.
PAGE 101
DRAFT: BROCADE CONFIDENTIAL 4 Configuration example for a high-availability multizone FWLB Commands on Zone3-SI-S in zone 3 The following commands configure ServerIron ADX “Zone3-SI-S” on the right side of zone 3 in Figure 14 on page 79. ServerIronADX(config)# hostname Zone3-SI-S Zone3-SI-S(config)# ip address 209.157.23.12 255.255.255.0 Zone3-SI-S(config)# ip default-gateway 209.157.23.
PAGE 102
DRAFT: BROCADE CONFIDENTIAL Configuration example for a high-availability multizone FWLB 4 If the firewalls are multi-homed (allow more than one connection on each side of the protected network), then it is possible to connect each ServerIron ADX to all the firewalls directly. Figure 15 shows an example of this type of configuration. FIGURE 15 IronClad FWLB configuration with multi-homed firewalls Internet External Router 1.1.1.20 2.2.2.20 Port e8 Active ServerIron A 1.1.1.
PAGE 103
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Configuration examples with Layer 3 routing This section shows examples of commonly used ServerIron ADX multizone FWLB deployments with Layer 3 configurations. The ServerIron ADXs in these examples perform Layer 3 routing in addition to Layer 2 and Layer 4–7 switching. Generally, the steps for configuring Layer 4–7 features on a ServerIron ADX running Layer 3 are similar to the steps on a ServerIron ADX that is not running Layer 3.
PAGE 104
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing FIGURE 16 4 Multizone FWLB with one sub-net and one virtual routing interface Zone 1 IP: 20.20.100.100 Gateway: 20.20.254.254 Active ServerIron A SI-A 10.10.1.101 Ports 4/9 - 4/10 When undefined, Zone 1 contains all addresses not in the other zones. Ports 4/9 - 4/10 Sync Link Ports 4/11 - 4/12 Ports 4/11 - 4/12 Data Link SI-A Port 4/1 Port 4/1 External Router IP: 10.10.1.1 MAC: 00e0.5201.a17a IP: 10.10.1.2 MAC: 00e0.
PAGE 105
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing The following commands configure a virtual routing interface on VLAN 1 (the default VLAN), and then configure an IP address on the interface. The virtual routing interface is associated with all the ports in the VLAN. Zone1-SI-A(config-vlan-1)# router-interface ve 1 Zone1-SI-A(config-vlan-1)# exit Zone1-SI-A(config)# interface ve 1 Zone1-SI-A(config-ve-1)# ip address 10.10.1.111 255.255.255.
PAGE 106
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 The following commands add the firewall definitions to the firewall port group (always group 2). The firewall group contains all the ports in VLAN 1 (the default VLAN). Zone1-SI-A(config)# server fw-group 2 Zone1-SI-A(config-fw-2)# fw-name fw1 Zone1-SI-A(config-fw-2)# fw-name fw2 The following command enables the active-active mode. For details about configuring this command, refer to “Enabling the active-active mode” on page 48.
PAGE 107
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing The following commands configure the zone parameters. To configure a zone, specify a name for the zone, and then a zone number (from 1 through 10), followed by the number of the ACL that specifies the IP addresses in the zone. In this example, the ACL numbers and zone numbers are the same, but this is not required.
PAGE 108
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 Zone1-SI-S(config)# trunk deploy Zone1-SI-S(config)# server fw-port 4/9 Zone1-SI-S(config)# trunk switch ethernet 4/11 to 4/12 Zone1-SI-S(config)# trunk deploy Zone1-SI-S(config)# server partner-ports ethernet 4/11 Zone1-SI-S(config)# server partner-ports ethernet 4/12 Zone1-SI-S(config)# server fw-group 2 Zone1-SI-S(config-fw-2)# l2-fwall Zone1-SI-S(config-fw-2)# exit Zone1-SI-S(config)# server fw-name fw1 10.10.1.
PAGE 109
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Zone1-SI-S(config-rs-web4)# exit Zone1-SI-S(config)# server virtual Zone1-SI-S(config-vs-www.web.com)# Zone1-SI-S(config-vs-www.web.com)# http Zone1-SI-S(config-vs-www.web.com)# Zone1-SI-S(config)# server slb-fw Zone1-SI-S(config)# write memory www.web.com 10.10.1.
PAGE 110
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 Zone2-SI-A(config)# server fw-group 2 Zone2-SI-A(config-fw-2)# fw-name fw1 Zone2-SI-A(config-fw-2)# fw-name fw2 Zone2-SI-A(config-fw-2)# sym-priority 255 Zone2-SI-A(config-fw-2)# fwall-info 1 4/1 10.10.1.111 10.10.2.1 Zone2-SI-A(config-fw-2)# fwall-info 2 4/11 10.10.1.111 10.10.2.2 Zone2-SI-A(config-fw-2)# fwall-info 3 4/1 10.10.1.112 10.10.2.1 Zone2-SI-A(config-fw-2)# fwall-info 4 4/11 10.10.1.112 10.10.2.
PAGE 111
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Zone2-SI-S(config)# server partner-ports ethernet 4/12 Zone2-SI-S(config)# server fw-group 2 Zone2-SI-S(config-fw-2)# l2-fwall Zone2-SI-S(config-fw-2)# exit Zone2-SI-S(config)# server fw-name fw1 10.10.2.
PAGE 112
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 Commands on zone 3’s ServerIron ADX (Zone3-SI-A) The following commands configure the ServerIron ADX in zone 3.
PAGE 113
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Zone3-SI-A(config)# server real-name sr1 10.10.3.41 Zone3-SI-A(config-rs-sr1)# port http Zone3-SI-A(config-rs-sr1)# exit Zone3-SI-A(config)# server real-name sr2 10.10.3.43 Zone3-SI-A(config-rs-sr2)# port http Zone3-SI-A(config-rs-sr2)# exit Zone3-SI-A(config)# server virtual www.sr.com 10.10.3.10 Zone3-SI-A(config-vs-www.rs.com)# port http Zone3-SI-A(config-vs-www.web.com)# bind http sr2 http sr1 http Zone3-SI-A(config-vs-www.web.
PAGE 114
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing FIGURE 17 4 Multizone FWLB with multiple sub-nets and multiple virtual routing interfaces Zone 1 IP: 20.20.100.100 Gateway: 20.20.254.254 Active ServerIron A 10.10.7.101 SI-A Ports 4/9 - 4/10 Ports 4/11 - 4/12 When undefined, Zone 1 contains all addresses not in the other zones. Ports 4/9 - 4/10 Sync Link Ports 4/11 - 4/12 Data Link SI-A Port 4/1 Port 4/1 External Router IP: 10.10.1.1 IP: 10.10.1.2 FW1 FW2 IP: 10.
PAGE 115
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Zone1-SI-A(config-ve-2)# ip address 10.10.7.101 255.255.255.0 Zone1-SI-A(config-ve-2)# exit The following command configures an IP default route. The next hop for this route is the ServerIron ADX’s interface with firewall FW1. Zone1-SI-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.1.1 The following command configures a static route to the sub-net that contains the external host. Zone1-SI-A(config)# ip route 20.20.0.0 255.255.0.0 10.
PAGE 116
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 The following commands add the paths through the firewalls to the ServerIron ADXs in zones 2 and 3. In addition, static MAC entries are added for the firewall interfaces. NOTE The path IDs must be in contiguous, ascending numerical order, starting with 1. For example, path sequence 1, 2, 3, 4 is valid. Path sequence 4, 3, 2, 1 or 1, 3, 4, 5 is not valid.
PAGE 117
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Zone1-SI-A(config-vs-www.web.com)# bind http web1 http web2 http web3 http web4 http Zone1-SI-A(config-vs-www.web.com)# exit The following command enables SLB-to-FWLB. Zone1-SI-A(config)# server slb-fw The following command saves the configuration changes to the startup-config file.
PAGE 118
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 Zone1-SI-S(config-rs-fw2)# port http Zone1-SI-S(config-rs-fw2)# port http no-health-check Zone1-SI-S(config-rs-fw2)# port snmp Zone1-SI-S(config-rs-fw2)# port snmp no-health-check Zone1-SI-S(config-rs-fw2)# exit Zone1-SI-S(config)# server fw-group 2 Zone1-SI-S(config-fw-2)# fw-name fw1 Zone1-SI-S(config-fw-2)# fw-name fw2 Zone1-SI-S(config-fw-2)# sym-priority 1 Zone1-SI-S(config-fw-2)# fwall-info 1 4/11 10.10.2.222 10.10.1.
PAGE 119
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Zone1-SI-A(config-vlan-2)# exit Zone1-SI-A(config)# interface ve 1 Zone1-SI-A(config-ve-1)# ip address 10.10.2.222 255.255.255.
PAGE 120
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 Zone2-SI-A(config)# server fw-group 2 Zone2-SI-A(config-fw-2)# fwall-zone zone3 3 3 Zone2-SI-A(config-fw-2)# exit Zone2-SI-A(config)# server real-name rs1 10.10.8.40 Zone2-SI-A(config-rs-rs1)# port http Zone2-SI-A(config-rs-rs1)# exit Zone2-SI-A(config)# server real-name rs1 10.10.8.42 Zone2-SI-A(config-rs-rs2)# port http Zone2-SI-A(config-rs-rs2)# exit Zone2-SI-A(config)# server virtual www.rs.com 10.10.8.
PAGE 121
DRAFT: BROCADE CONFIDENTIAL 4 Configuration examples with Layer 3 routing Zone2-SI-S(config-rs-fw1)# port ftp no-health-check Zone2-SI-S(config-rs-fw1)# port snmp Zone2-SI-S(config-rs-fw1)# port snmp no-health-check Zone2-SI-S(config-rs-fw1)# exit Zone2-SI-S(config)# server fw-name fw2 10.10.2.
PAGE 122
DRAFT: BROCADE CONFIDENTIAL Configuration examples with Layer 3 routing 4 Zone3-SI-A(config)# vlan 2 Zone3-SI-A(config-vlan-2)# untagged ethernet 4/13 to 4/24 Zone3-SI-A(config-vlan-2)# router-interface ve 2 Zone3-SI-A(config-vlan-2)# exit Zone3-SI-A(config)# interface ve 2 Zone3-SI-A(config-ve-1)# ip address 10.10.6.101 255.255.255.0 Zone3-SI-A(config-ve-1)# exit Zone3-SI-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.3.1 Zone3-SI-A(config)# server fw-name fw1 10.10.3.
PAGE 123
DRAFT: BROCADE CONFIDENTIAL 4 112 Configuration examples with Layer 3 routing ServerIron ADX Firewall Load Balancing Guide 53-1002436-01
PAGE 124
DRAFT: BROCADE CONFIDENTIAL Chapter 5 Configuring FWLB for NAT Firewalls In this chapter • NAT firewalls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring basic Layer 3 FWLB for NAT firewalls . . . . . . . . . . . . . . . . . . . . • Configuration example for FWLB with Layer 3 NAT firewalls . . . . . . . . . . . • Configuring IronClad Layer 3 FWLB for NAT. . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 125
DRAFT: BROCADE CONFIDENTIAL 5 Configuring basic Layer 3 FWLB for NAT firewalls • Static translation – For traffic from a client inside the private network to a destination on the Internet, the firewall translates the private address into a unique Internet address. Likewise, for traffic from the Internet, the firewall translates the public address into a private address. Unlike the previous method, the static method assigns a different, unique Internet address for each client in the private network.
PAGE 126
DRAFT: BROCADE CONFIDENTIAL Configuring basic Layer 3 FWLB for NAT firewalls TABLE 6 5 Basic FWLB for NAT firewalls configuration tasks (Continued) Task Reference Configure firewall group parameters Configure the paths and add static MAC entries for the firewall interfaces with the ServerIron ADX page 116 Configure NAT address parameters Disable load balancing for the NAT addresses page 118 Defining the firewalls and adding them to the firewall group When FWLB is enabled, all the ServerIron ADX po
PAGE 127
DRAFT: BROCADE CONFIDENTIAL 5 Configuring basic Layer 3 FWLB for NAT firewalls Syntax: server fw-group 2 | 4 This command changes the CLI to the firewall group configuration level. The IPv4 address format firewall group number is 2. The IPv6 address format firewall group number is 4. These are the only supported firewall groups. Syntax: [no] fw-name This command adds a configured firewall to the firewall group.
PAGE 128
DRAFT: BROCADE CONFIDENTIAL Configuring basic Layer 3 FWLB for NAT firewalls 5 ServerIronADX-A(config)# static-mac-address abcd.da10.dc2c ethernet 1 priority 1 router-type ServerIronADX-A(config)# static-mac-address abcd.da10.dc3f ethernet 2 priority 1 router-type Commands for ServerIron ADX B (internal) ServerIronADX-B(config)# server fw-group 2 ServerIronADX-B(config-fw-2)# fwall-info 1 1 209.157.23.106 10.10.10.10 ServerIronADX-B(config-fw-2)# fwall-info 2 2 209.157.23.106 10.10.10.
PAGE 129
DRAFT: BROCADE CONFIDENTIAL 5 Configuring basic Layer 3 FWLB for NAT firewalls Syntax: [no] static-mac-address ethernet [priority <0-7>] [host-type | router-type] The priority can be from 0 through 7 (0 is lowest and 7 is highest). The defaults are host-type and 0. NOTE The static MAC entries are required. You must add a static MAC entry for each firewall interface with the ServerIron ADX.
PAGE 130
DRAFT: BROCADE CONFIDENTIAL Configuration example for FWLB with Layer 3 NAT firewalls 5 Access policy method To disable load balancing for the NAT addresses using IP access policies, enter commands such as the following. ServerIronADX-A(config)# ip filter 1 deny any 209.157.23.110 255.255.255.255 ServerIronADX-A(config)# ip filter 2 deny any 209.157.23.107 255.255.255.
PAGE 131
DRAFT: BROCADE CONFIDENTIAL 5 Configuration example for FWLB with Layer 3 NAT firewalls ServerIronADX-A(config)# server fw-name fw3NAT 209.157.23.107 ServerIronADX-A(config-rs-fw3NAT)# exit ServerIronADX-A(config)# server fw-name fw4NAT 209.157.23.110 ServerIronADX-A(config-rs-fw4NAT)# exit The following commands configure the firewall group parameters. The first commands change the CLI to the firewall group configuration level. The fw-name commands add the firewalls.
PAGE 132
DRAFT: BROCADE CONFIDENTIAL Configuring IronClad Layer 3 FWLB for NAT 5 CLI commands on ServerIron ADX B (internal) The following CLI commands configure ServerIron ADX B in Figure 18. Notice that this ServerIron ADX is not configured to deny load balancing for the NAT addresses used by the firewalls. This ServerIron ADX sees only the internal addresses, not the NAT addresses. ServerIronADX-B(config)# hostname ServerIronADX-B ServerIronADX-B(config)# ip address 10.10.10.30 255.255.255.
PAGE 133
DRAFT: BROCADE CONFIDENTIAL 5 Configuring IronClad Layer 3 FWLB for NAT FIGURE 19 FWLB for Layer 3 firewalls performing NAT—IronClad configuration Internet External Router 192.168.2.1/24 192.168.1.1/24 Port e8 Active ServerIron A 1.1.1.10 Port e8 SI-A SI-A Port e2 Port e1 Port e2 Port e1 192.168.1.2/24 192.168.2.3/24 192.168.1.3/24 192.168.2.2/24 FW1 FW2 4.4.4.10/24 3.3.3.11/24 3.3.3.10/24 Standby ServerIron B 3.3.3.20/24 Standby ServerIron A 2.2.2.10 Port e1 4.4.4.
PAGE 134
DRAFT: BROCADE CONFIDENTIAL Configuring IronClad Layer 3 FWLB for NAT TABLE 7 5 IronClad FWLB for NAT firewalls configuration tasks (Continued) Task Reference Configure NAT address parameters Disable load balancing for the NAT addresses page 128 Specifying the partner port If you are configuring the ServerIron ADX for IronClad FWLB, you need to specify the port number of the dedicated link between the ServerIron ADX and its partner.
PAGE 135
DRAFT: BROCADE CONFIDENTIAL 5 Configuring IronClad Layer 3 FWLB for NAT Commands for standby ServerIron ADX A (external standby) SI-StandbyA(config)# server fw-name fw1 192.168.2.2 SI-StandbyA(config-rs-fw1)# exit SI-StandbyA(config)# server fw-name fw2 192.168.2.3 SI-StandbyA(config-rs-fw2)# exit SI-StandbyA(config)# fw-group 2 SI-StandbyA(config-fw-2)# fw-name fw1 SI-StandbyA(config-fw-2)# fw-name fw2 Commands for active ServerIron ADX B (internal active) SI-ActiveB(config)# server fw-name fw1 4.4.4.
PAGE 136
DRAFT: BROCADE CONFIDENTIAL Configuring IronClad Layer 3 FWLB for NAT 5 Configuring paths and adding static MAC entries for Layer 3 firewalls A path is configuration information the ServerIron ADX uses to ensure that a given source and destination IP pair is always authenticated by the same Layer 3 firewall. Each path consists of the following parameters: • The path ID – A number that identifies the path.
PAGE 137
DRAFT: BROCADE CONFIDENTIAL 5 Configuring IronClad Layer 3 FWLB for NAT Commands for standby ServerIron ADX A (external standby) SI-StandbyA(config)# server fw-group 2 SI-StandbyA(config-fw-2)# fwall-info 1 1 3.3.3.20 192.168.2.2 SI-StandbyA(config-fw-2)# fwall-info 2 2 3.3.3.20 192.168.2.3 SI-StandbyA(config-fw-2)# fwall-info 3 1 4.4.4.20 192.168.2.2 SI-StandbyA(config-fw-2)# fwall-info 4 2 4.4.4.20 192.168.2.3 SI-StandbyA(config-fw-2)# fwall-info 5 8 192.168.2.1 192.168.2.
PAGE 138
DRAFT: BROCADE CONFIDENTIAL Configuring IronClad Layer 3 FWLB for NAT 5 Syntax: (IPv4) [no] fwall-info Syntax: (IPv6) [no] fwall-info NOTE The other IP address and next-hop IP address parameters must be both IPv4 addresses or both IPv6 addresses. IPv4 and IPv6 addresses cannot be mixed. NOTE You must use IPv4 addresses for IPv4 firewalls and IPv6 addresses for IPv6 firewalls.
PAGE 139
DRAFT: BROCADE CONFIDENTIAL 5 Configuring IronClad Layer 3 FWLB for NAT Configuring the ServerIron ADX priority If you are configuring the ServerIron ADX for IronClad FWLB, you must specify the priority for the firewalls within the firewall group. The priority determines which of the partner ServerIron ADXs that are configured together for IronClad FWLB is the default active ServerIron ADX for the firewalls within the group. You can specify a priority from 0 through 255.
PAGE 140
DRAFT: BROCADE CONFIDENTIAL Configuration example for IronClad FWLB with Layer 3 NAT firewalls 5 Configuration example for IronClad FWLB with Layer 3 NAT firewalls This section shows the CLI commands for implementing the configuration shown in Figure 19 on page 122. The only additional step required is to ensure that the ServerIron ADX connected to the external network does not load balance return traffic to the addresses the firewalls use for NAT.
PAGE 141
DRAFT: BROCADE CONFIDENTIAL 5 Configuration example for IronClad FWLB with Layer 3 NAT firewalls The server fw-port command identifies the port that connects this ServerIron ADX to its partner. If you configure a trunk group for the link between the two partners, specify the first port (the primary port for the group) in the trunk group. SI-ActiveA(config)# server fw-port 5 The server fw-name commands add the firewalls to the ServerIron ADX. In the commands above, “fw1” and “fw2” are the firewall names.
PAGE 142
DRAFT: BROCADE CONFIDENTIAL Configuration example for IronClad FWLB with Layer 3 NAT firewalls 5 The third parameter is the IP address of the ServerIron ADX at the other end of the path or, for paths to routers, the IP address of the router’s interface with the ServerIron ADX. Note that each ServerIron ADX has a path to each of the ServerIron ADXs in the other pair, but does not have a path to its own standby pair.
PAGE 143
DRAFT: BROCADE CONFIDENTIAL 5 Configuration example for IronClad FWLB with Layer 3 NAT firewalls Commands on standby ServerIron ADX A (external standby) SI-StandbyA(config)# ip address 192.168.2.10/24 SI-StandbyA(config)# ip default-gateway 192.168.2.
PAGE 144
DRAFT: BROCADE CONFIDENTIAL Configuration example for IronClad FWLB with Layer 3 NAT firewalls 5 Commands on active ServerIron ADX B (internal active) SI-ActiveB(config)# ip address 3.3.3.20/24 SI-ActiveB(config)# ip default-gateway 4.4.4.
PAGE 145
DRAFT: BROCADE CONFIDENTIAL 5 134 Configuration example for IronClad FWLB with Layer 3 NAT firewalls ServerIron ADX Firewall Load Balancing Guide 53-1002436-01
PAGE 146
DRAFT: BROCADE CONFIDENTIAL Chapter 6 Configuring FWLB and SLB In this chapter • Configuring SLB-to-FWLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration example for SLB-to-FWLB . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring FWLB-to-SLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuration example for FWLB-to-SLB . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 147
DRAFT: BROCADE CONFIDENTIAL 6 FWLB and SLB configuration overview Figure 20 shows an example of an SLB-to-FWLB configuration. FIGURE 20 SLB-to-FWLB configuration WAN Router Internet SLB Configuration - Real Servers 192.168.2.50 and 192.168.2.60 - Real Servers are defined as remote - Virtual Server 192.168.1.2 - Servers bound by TCP port 80 - SLB-to-FWLB is enabled 192.168.1.100 SI-A Port e3 Port e5 NOTE: All SLB configuration is on the Internet ServerIron (ServerIron A) FW-1 FW1-IPout 192.168.2.
PAGE 148
DRAFT: BROCADE CONFIDENTIAL Configuring SLB-to-FWLB 6 Figure 21 shows an example of an FWLB-to-SLB configuration. FIGURE 21 FWLB-to-SLB configuration WAN Router Internet 192.168.1.100 SI-A Port e3 FW-1 FW1-IPout 192.168.2.30 MAC: abcd.4321.34e2 Port e5 FW1-IPin 192.168.1.30 MAC: abcd.4321.34e0 FW2-IPin 192.168.1.40 MAC: abcd.4321.34e1 Port e1 Port e2 FW-2 FW1-IPout 192.168.2.40 MAC: abcd.4321.34e3 SI-B 192.168.2.200 SLB Configuration - Real Servers 192.168.2.50 and 192.168.2.
PAGE 149
DRAFT: BROCADE CONFIDENTIAL 6 Configuring SLB-to-FWLB The tasks under the first item (Configure SLB parameters on the Internet ServerIron ADX) are described in the following sections. The remaining tasks are identical to the tasks for configuring basic FWLB for Layer 3 firewalls. For more information about these tasks, refer to “Configuring basic Layer 3 FWLB” on page 17. Configuring the SLB parameters In an SLB-to-FWLB configuration, all SLB configuration takes place on the Internet ServerIron ADX.
PAGE 150
DRAFT: BROCADE CONFIDENTIAL Configuration example for SLB-to-FWLB 6 Binding the real server to the virtual server To bind the real servers to the virtual server, enter the following commands on the Internet ServerIron ADX (ServerIron ADX A). Notice that the port binding takes place on the Virtual Server configuration level. ServerIronADXA(config)# server virtual www.brocade.com ServerIronADXA(config-vs-www.brocade.com)# bind http RS1 http ServerIronADXA(config-vs-www.brocade.
PAGE 151
DRAFT: BROCADE CONFIDENTIAL 6 Configuration example for SLB-to-FWLB The following commands configure the virtual server and bind it to the real servers with TCP port 80 (HTTP). ServerIronADXA(config)# server virtual-name www.brocade.com 192.168.1.2 ServerIronADXA(config-vs-www.brocade.com)# port http ServerIronADXA(config)# server virtual www.brocade.com ServerIronADXA(config-vs-www.brocade.com)# bind http RS1 http ServerIronADXA(config-vs-www.brocade.
PAGE 152
DRAFT: BROCADE CONFIDENTIAL Configuring FWLB-to-SLB 6 ServerIronADXA(config)# static-mac-address abcd.4321.34e0 ethernet 3 priority 1 router-type ServerIronADXA(config)# static-mac-address abcd.4321.34e1 ethernet 5 priority 1 router-type ServerIronADXA(config)# write memory Commands on ServerIron B (internal) Enter the following commands to configure FWLB on ServerIron B. Notice that the fwall-info commands configure paths that are reciprocal to the paths configured on ServerIron A.
PAGE 153
DRAFT: BROCADE CONFIDENTIAL 6 Configuring FWLB-to-SLB • Configure firewall parameters: Define the firewalls and add them to the firewall group • Configure firewall group parameters: Configure the paths and add static MAC entries for the firewall interfaces with the ServerIron The tasks under the first item (Configure SLB parameters on the internal ServerIron) are described in the following sections. The remaining tasks are identical to the tasks for configuring basic FWLB for Layer 3 firewalls.
PAGE 154
DRAFT: BROCADE CONFIDENTIAL Configuration example for FWLB-to-SLB 6 Binding the real server to the virtual server To bind the real servers to the virtual server, enter the following commands on the internal ServerIron ADX (ServerIron ADX B). Notice that the port binding takes place on the Virtual Server configuration level. ServerIronADXB(config)# server virtual www.brocade.com ServerIronADXB(config-vs-www.brocade.com)# bind http RS1 http ServerIronADXB(config-vs-www.brocade.
PAGE 155
DRAFT: BROCADE CONFIDENTIAL 6 Configuration example for FWLB-to-SLB ServerIronADXA(config)# server fw-group 2 ServerIronADXA(config-fw-2)# fw-name FW1-IPin ServerIronADXA(config-fw-2)# fw-name FW2-IPin ServerIronADXA(config-fw-2)# fwall-info 1 3 192.168.2.200 192.168.1.30 ServerIronADXA(config-fw-2)# fwall-info 2 5 192.168.2.200 192.168.1.40 ServerIronADXA(config-fw-2)# exit The following commands add static MAC entries for the MAC addresses of the firewall interfaces connected to the ServerIron ADX.
PAGE 156
DRAFT: BROCADE CONFIDENTIAL Configuration example for FWLB-to-SLB 6 ServerIronADXB(config)# server virtual www.brocade.com ServerIronADXB(config-vs-www.brocade.com)# bind http RS1 http ServerIronADXB(config-vs-www.brocade.com)# bind http RS2 http Enter the following command to enable FWLB-to-SLB. NOTE This command applies only to the ServerIron ADX that contains the SLB configuration. Do not enter this command on the Internet ServerIron ADX (ServerIron ADXA).
PAGE 157
DRAFT: BROCADE CONFIDENTIAL 6 Configuration example for FWLB-to-SLB Figure 22 shows an example of an active-active FWLB configuration that also supports SLB. The pair of ServerIron ADXs on the non-secure (external) of the firewalls are connected to clients. The pair of ServerIron ADXs on the secure side of the firewalls are connected to application servers. Both pairs of ServerIron ADXs load balance the traffic to the firewalls and also perform SLB load balancing for application traffic.
PAGE 158
DRAFT: BROCADE CONFIDENTIAL Configuration example for FWLB-to-SLB 6 The following command enable the always-active feature and disables the Spanning Tree Protocol (STP) in VLAN 1, which contains the ports that will carry the FWLB traffic. SI-Ext-A(config)# vlan 1 SI-Ext-A(config-vlan-1)# always-active SI-Ext-A(config-vlan-1)# no spanning-tree The following commands configure a virtual routing interface on VLAN 1 (the default VLAN), then configure an IP address on the interface.
PAGE 159
DRAFT: BROCADE CONFIDENTIAL 6 Configuration example for FWLB-to-SLB The following commands add the firewall definitions to the firewall port group (always group 2). The firewall group contains all the ports in VLAN 1 (the default VLAN). SI-Ext-A(config)# server fw-group 2 SI-Ext-A(config-fw-2)# fw-name fw1 SI-Ext-A(config-fw-2)# fw-name fw2 The following command enables the active-active mode. SI-Ext-A(config-fw-2)# sym-priority 1 NOTE Do not use the same number on both ServerIrons.
PAGE 160
DRAFT: BROCADE CONFIDENTIAL Configuration example for FWLB-to-SLB 6 The following commands configure the SLB parameters, four real servers and one VIP. The servers are bound to the VIP by the HTTP port. Notice that the servers are configured as remote servers. If Proxy ARP is enabled on the internal ServerIron ADXs, you can define the real servers as local servers instead of remote servers. However, if Proxy ARP is not enabled on the internal ServerIron ADXs, the real servers must be remote servers.
PAGE 161
DRAFT: BROCADE CONFIDENTIAL 6 Configuration example for FWLB-to-SLB SI-Ext-B(config)# server fw-group 2 SI-Ext-B(config-fw-2)# fw-name fw1 SI-Ext-B(config-fw-2)# fw-name fw2 SI-Ext-B(config-fw-2)# sym-priority 255 SI-Ext-B(config-fw-2)# fwall-info 1 3/1 10.10.2.222 10.10.1.1 SI-Ext-B(config-fw-2)# fwall-info 2 4/1 10.10.2.222 10.10.1.2 SI-Ext-B(config-fw-2)# fwall-info 3 3/1 10.10.2.223 10.10.1.1 SI-Ext-B(config-fw-2)# fwall-info 4 4/1 10.10.2.223 10.10.1.
PAGE 162
DRAFT: BROCADE CONFIDENTIAL Configuration example for FWLB-to-SLB 6 SI-Int-A(config-rs-fw2)# exit SI-Int-A(config)# server fw-group 2 SI-Int-A(config-fw-2)# fw-name fw1 SI-Int-A(config-fw-2)# fw-name fw2 SI-Int-A(config-fw-2)# sym-priority 1 SI-Int-A(config-fw-2)# fwall-info 1 4/1 10.10.1.111 10.10.2.1 SI-Int-A(config-fw-2)# fwall-info 2 3/2 10.10.1.111 10.10.2.2 SI-Int-A(config-fw-2)# fwall-info 3 4/1 10.10.1.112 10.10.2.1 SI-Int-A(config-fw-2)# fwall-info 4 3/2 10.10.1.112 10.10.2.
PAGE 163
DRAFT: BROCADE CONFIDENTIAL 6 Supporting dual homed servers in FWLB design SI-Int-B(config-fw-2)# exit SI-Int-B(config)# vlan 1 SI-Int-B(config-vlan-1)# static-mac-address 00e0.5201.042e ethernet 3/2 priority 1 router-type SI-Int-B(config-vlan-1)# static-mac-address 00e0.5201.2188 ethernet 4/1 priority 1 router-type SI-Int-B(config-vlan-1)# exit SI-Int-B(config)# write memory Supporting dual homed servers in FWLB design In Figure 23, the internal server is dual homed and uses active-standby NICs.
PAGE 164
DRAFT: BROCADE CONFIDENTIAL Supporting dual homed servers in FWLB design FIGURE 23 6 Example of server with two NICs Internet L3 Router External ServerIron A L3 Router Firewall 2 Firewall 1 Internal ServerIron A VRRP-E (Master) External ServerIron B SI SI SI SI Internal ServerIron B VRRP-E (Backup) Active Server Standby Consider a failure situation where the link between Firewall-1 and External ServerIron ADX-A has failed. All four ServerIron ADXs will detect this firewall path failure.
PAGE 165
DRAFT: BROCADE CONFIDENTIAL 6 Supporting dual homed servers in FWLB design Enabling the server fw-force-route command helps address this situation. Enable this command on both Internal ServerIron units in order to prevent traffic failure.
PAGE 166
DRAFT: BROCADE CONFIDENTIAL Chapter Viewing FWLB Configuration Details and Statistics 7 In this chapter • FWLB configuration overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 • Displaying firewall group information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 • Displaying firewall path information. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 167
DRAFT: BROCADE CONFIDENTIAL 7 Displaying firewall group information The following lines list the firewalls configured in the firewall group, show the administrative state, and have distribution values for each firewall: • The administrative state is shown in the Admin-st column and depends on the results of the Layer 3 health check (ping) the ServerIron performs when you add the path information for the firewall.
PAGE 168
DRAFT: BROCADE CONFIDENTIAL Displaying firewall group information 7 The following example shows firewall group 4 (IPv6) and contains two firewalls.
PAGE 169
DRAFT: BROCADE CONFIDENTIAL 7 Displaying firewall group information TCP/UDP port statistics If you associated TCP/UDP application ports with specific firewalls (part of a stateful FWLB configuration), rows of statistics for the application ports also are listed. The following example shows statistics for two ServerIron ADXs in a basic stateful FWLB configuration. In this example, HTTP traffic and Telnet traffic are explicitly associated with fw1 and fw2.
PAGE 170
DRAFT: BROCADE CONFIDENTIAL Displaying firewall path information 7 ServerIronADXB(config)# show fw-group Firewall-group 2 has 2 members Admin-status = Enabled Active = 0 Hash_info: Dest_mask = 255.255.255.255 Src_mask = 255.255.255.255 Firewall Server Name fw1-IPout fw2-IPout Admin-status Hash-distribution 6 0 6 0 Traffic From<->to Firewall Servers Name: fw1-IPout IP: 209.157.23.
PAGE 171
DRAFT: BROCADE CONFIDENTIAL 7 Displaying firewall path information 33.1.1.1 23.1.1.3 15 1 1 1 1 5 1 33.1.1.1 23.1.1.4 11 2 1 1 1 5 1 33.1.1.2 23.1.1.3 15 3 1 1 1 5 1 33.1.1.2 23.1.1.4 11 4 1 1 1 5 1 State = 5, Partner known = Yes, port = 14, sync-state = 0 FW Partner MAC = 001b.ed05.
PAGE 172
DRAFT: BROCADE CONFIDENTIAL Displaying firewall path information 7 Table 8 describes the information displayed by the show server fw-path command. TABLE 8 FWLB path information Field Description General Information Number of Paths Configured The number of firewall and router paths configured in the group. Number of Fwall Paths preferred Number of Router Paths preferred Target-ip (IPv4) Target-ipv6 The IP address of the device at the other end of the path.
PAGE 173
DRAFT: BROCADE CONFIDENTIAL 7 Displaying the firewall selected by the hashing process for load balancing TABLE 8 FWLB path information (Continued) Field Description State (Current, Local, and Partner) Current, local, and active state information for the path: • The current state indicates the immediate state information. This is the most current information. • The local state indicates the cumulative current states over a three-second interval.
PAGE 174
DRAFT: BROCADE CONFIDENTIAL Displaying the firewall selected by the hashing process for load balancing 7 The parameter specifies the source IPv6 address. The parameter specifies the FWLB group ID. For IPv4, the FWLB group ID is 2. For IPv6, the FWLB group ID is 4. The parameter specifies the protocol number for TCP or UDP.
PAGE 175
DRAFT: BROCADE CONFIDENTIAL 7 164 Displaying the firewall selected by the hashing process for load balancing ServerIron ADX Firewall Load Balancing Guide 53-1002436-01
PAGE 176
DRAFT: BROCADE CONFIDENTIAL Appendix A Additional Firewall Configurations In this appendix • Configuring FWLB for firewalls with active-standby NICs . . . . . . . . . . . . . . • Customizing path health checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • FWLB selection algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . • Configuring weighted load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 177
DRAFT: BROCADE CONFIDENTIAL A Configuring FWLB for firewalls with active-standby NICs FIGURE 24 FWLB configuration using always-active with active-standby firewall interfaces BigIron-A BigIron BigIron BigIron-S 121.212.247.225 121.212.247.230 Additional data link Synchronization link Port1 Port1 ServerIron SI-Ext-A 121.212.247.228 ServerIron SI-Ext-S 121.212.247.229 Port3 Default gateway: 121.212.247.225 Trunk ports 5 and 6 Port2 Trunk ports 5 and 6 Port2 FW-1-External 121.212.247.
PAGE 178
DRAFT: BROCADE CONFIDENTIAL Configuring FWLB for firewalls with active-standby NICs A The ServerIron ADX has only one path to each firewall, but the path uses a wildcard for the ServerIron ADX port number. The ServerIron ADX determines the port to use for reaching the firewall by sending an ARP request for the firewall interface. When the active link on the firewall responds with its MAC address, the ServerIron ADX learns the port on which the response is received and uses that port to reach the firewall.
PAGE 179
DRAFT: BROCADE CONFIDENTIAL A Configuring FWLB for firewalls with active-standby NICs Syntax: (IPv4) [no] fwall-info Syntax: (IPv6) [no] fwall-info NOTE The other IP address and next-hop IP address parameters must be both IPv4 addresses or both IPv6 addresses. IPv4 and IPv6 addresses cannot be mixed. NOTE You must use IPv4 addresses for IPv4 firewalls and IPv6 addresses for IPv6 firewalls.
PAGE 180
DRAFT: BROCADE CONFIDENTIAL Customizing path health checks A Customizing path health checks This appendix describes the health checks for firewall and router paths and how to change their configuration. By default, the ServerIron ADX checks the health of each firewall and router path by sending an ICMP ping on the path every 400 milliseconds. Consider the following to determine the router path: • If the ServerIron ADX receives one or more responses within 1.
PAGE 181
DRAFT: BROCADE CONFIDENTIAL A Customizing path health checks Enabling Layer 4 path health checks for FWLB By default, the ServerIron ADX performs Layer 3 health checks of firewall paths, but does not perform Layer 4 health checks of the paths. You can configure the ServerIron ADXs in an FWLB configuration to use Layer 4 health checks instead of Layer 3 health checks for firewall paths. When you configure a Layer 4 health check, the Layer 3 (ICMP) health check, which is used by default, is disabled.
PAGE 182
DRAFT: BROCADE CONFIDENTIAL FWLB selection algorithms A The parameter specifies the maximum number of retries and can be a number from 3 through 31. The default is 3. Disabling Layer 4 path health checks on individual firewalls and application ports To disable the Layer 4 health check for an individual application on an individual firewall, enter a command such as the following at the firewall configuration level of the CLI.
PAGE 183
DRAFT: BROCADE CONFIDENTIAL A FWLB selection algorithms Specifying a list of application ports for use when hashing To specify a list of TCP/UDP ports for hashing, enter the following commands. ServerIronADX(config)# server fw-group 2 ServerIronADX(config-fw-2)# hash-ports 69 80 Syntax: [no] hash-ports [] The parameters specify TCP or UDP port numbers. You can specify up to 16 port numbers on the same command line.
PAGE 184
DRAFT: BROCADE CONFIDENTIAL Configuring weighted load balancing A Configure each entry in the ACL to permit the addresses for which you want to override the global hash mask. Configuring weighted load balancing You can assign weights to your firewalls to bias the load balancing in favor of certain firewalls. Weight The weight you assign to a firewall determines the percentage of the current connections that are given to that firewall.
PAGE 185
DRAFT: BROCADE CONFIDENTIAL A Denying FWLB for specific applications Syntax: [no] weight The parameter assigns a weight to the firewall. This weight determines the percentage of new connections the firewall receives relative to the other firewalls. NOTE The weight command has a second parameter, . This parameter is valid for real servers in SLB configurations but is not valid for FWLB.
PAGE 186
DRAFT: BROCADE CONFIDENTIAL Denying FWLB for specific applications A • ServerIron ADX A has an extended ACL at the firewall group configuration level that denies FWLB for packets addressed to destination TCP port 80. • ServerIron ADX B has an extended ACL at the firewall group configuration level that denies FWLB for packets from source TCP port 80. Notice that the routers use default routes to send traffic to a specific firewall.
PAGE 187
DRAFT: BROCADE CONFIDENTIAL A Denying FWLB for specific applications Denying FWLB To deny FWLB for an application, enter commands such as the following. These commands configure the ServerIron ADXs in Figure 25 to deny FWLB for HTTP traffic, in both directions. On ServerIron ADX A, FWLB is denied for traffic addressed to TCP port 80. On ServerIron ADX B, FWLB is denied for traffic from TCP port 80. ServerIron ADX A commands The following commands configure three ACL entries.
PAGE 188
DRAFT: BROCADE CONFIDENTIAL Configuring failover tolerance in IronClad configurations A Configuring failover tolerance in IronClad configurations By default, failover from the active ServerIron ADX to the standby ServerIron ADX in an IronClad configuration occurs if a path link on the active ServerIron ADX becomes unavailable. If all the path links are stable, failover is an uncommon event. However, an unreliable link can cause frequent failover.