Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

131

132

133

134

135

136

137

138

139

140

ServerIron ADX Firewall Load Balancing Guide 125

53-1002436-01

Configuring IronClad Layer 3 FWLB for NAT

DRAFT: BROCADE CONFIDENTIAL

Configuring paths and adding static MAC entries

for Layer 3 firewalls

A path is configuration information the ServerIron ADX uses to ensure that a given source and

destination IP pair is always authenticated by the same Layer 3 firewall.

Each path consists of the following parameters:

• The path ID – A number that identifies the path. In basic FWLB configurations, the paths go

from one ServerIron ADX to the other through the firewalls. The paths go from one ServerIron

ADX to the ServerIron ADXs in the other active-standby pair other through the firewalls. A path

also goes to the router.

• The ServerIron ADX port – The number of the port that connects the ServerIron ADX to the

firewall.

• The other ServerIron ADX’s or Layer 2 switch’s IP address – The management address of the

ServerIron ADX or Layer

2 switch on the other side of the firewall. The ServerIron ADX on the

private network side and the other ServerIron ADX or Layer 2 switch are the endpoints of the

data path through the firewall.

• The next-hop IP address – The IP address of the firewall interface connected to this ServerIron

ADX.

For each type of firewall (Layer 3 synchronous and asynchronous, with or without NAT), you must

configure paths between the ServerIron ADXs through the firewalls.

In addition to configuring the paths, you must create a static MAC entry for each firewall interface

attached to the ServerIron ADX.

NOTE

FWLB paths must be fully meshed. When you configure a FWLB path on a ServerIron ADX, make sure

you also configure a reciprocal path on the ServerIron ADX attached to the other end of the firewalls.

For example, if you configure four paths to four separate firewalls, make sure you configure four

paths on the other ServerIron ADX.

NOTE

The static MAC entries are required. You must add a static MAC entry for each firewall interface with

the ServerIron ADX.

To configure the paths and static MAC entries for the configuration shown in Figure 19 on

page 122, enter the following commands. Enter the first group of commands on ServerIron ADX A.

Enter the second group of commands on ServerIron ADX B.

Commands for active ServerIron ADX A (external active)

SI-ActiveA(config)# server fw-group 2

SI-ActiveA(config-fw-2)# fwall-info 1 1 3.3.3.20 192.168.1.2

SI-ActiveA(config-fw-2)# fwall-info 2 2 3.3.3.20 192.168.1.3

SI-ActiveA(config-fw-2)# fwall-info 3 1 4.4.4.20 192.168.1.2

SI-ActiveA(config-fw-2)# fwall-info 4 2 4.4.4.20 192.168.1.3

SI-ActiveA(config-fw-2)# fwall-info 5 8 192.168.1.1 192.168.1.1

SI-ActiveA(config-fw-2)# exit

SI-ActiveA(config)# static-mac-address abcd.4321.2498 ethernet 1 priority 1

router-type

SI-ActiveA(config)# static-mac-address abcd.4321.a53c ethernet 2 priority 1

router-type