Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

131

132

133

134

135

136

137

138

139

140

120 ServerIron ADX Firewall Load Balancing Guide

53-1002436-01

Configuration example for FWLB with Layer 3 NAT firewalls

DRAFT: BROCADE CONFIDENTIAL

ServerIronADX-A(config)# server fw-name fw3NAT 209.157.23.107

ServerIronADX-A(config-rs-fw3NAT)# exit

ServerIronADX-A(config)# server fw-name fw4NAT 209.157.23.110

ServerIronADX-A(config-rs-fw4NAT)# exit

The following commands configure the firewall group parameters. The first commands change the

CLI to the firewall group configuration level. The fw-name commands add the firewalls. Notice that

the firewall definitions created previously for the two NAT addresses are not added.

The fw-name <firewall-name> command adds the firewalls to the firewall group.

The fwall-info commands add paths from this ServerIron ADX to the other one through the firewalls.

Notice that no paths are configured for the firewall definitions created for the NAT addresses.

ServerIronADX-A(config)# server fw-group 2

ServerIronADX-A(config-fw-2)# fw-name fw1

ServerIronADX-A(config-fw-2)# fw-name fw2

ServerIronADX-A(config-fw-2)# fwall-info 1 1 10.10.10.30 209.157.23.108

ServerIronADX-A(config-fw-2)# fwall-info 2 2 10.10.10.30 209.157.23.109

ServerIronADX-A(config-fw-2)# exit

The following commands add static MAC entries for the firewalls’ interfaces with the ServerIron

ADX. The priority 1 and router-type parameters are required for FWLB with Layer 3 firewalls.

ServerIronADX-A(config)# static-mac-address abcd.da10.dc2c ethernet 1 priority 1

router-type

ServerIronADX-A(config)# static-mac-address abcd.da10.dc3f ethernet 2 priority 1

router-type

The write memory command saves the configuration changes to the ServerIron ADX’s

startup-config file on the device’s flash memory.

ServerIronADX-A(config)# write memory

Alternative configuration for ServerIron ADX A

The previous example configures FWLB for NAT firewalls by adding firewall definitions for the IP

addresses the NAT service on the firewalls uses for traffic sent from a client inside the firewalls to a

destination outside the firewalls.

Alternatively, you can configure IP access policies that deny load balancing for the NAT addresses.

For the example in

Figure 18 on page 114, you would enter the following commands.

ServerIronADX-A(config)# ip filter 1 deny any 209.157.23.110 255.255.255.255

ServerIronADX-A(config)# ip filter 2 deny any 209.157.23.107 255.255.255.255

ServerIronADX-A(config)# ip filter 1024 permit any any

The first two commands configure policies to deny load balancing for the two NAT addresses. The

third command allows all other traffic to be load balanced.

NOTE

The third policy, which permits all traffic, is required because once you define an access policy, the

default action for packets that do not match a policy is to deny them. Thus, if you configure only the

first two policies and not the third one, you actually disable load balancing altogether by denying the

load balancing for all packets.

The other commands are the same as in the previous section.