Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

131

132

133

134

135

136

137

138

139

140

ServerIron ADX Firewall Load Balancing Guide 129

53-1002436-01

Configuration example for IronClad FWLB with Layer 3 NAT firewalls

DRAFT: BROCADE CONFIDENTIAL

Configuration example for IronClad FWLB with Layer 3 NAT firewalls

This section shows the CLI commands for implementing the configuration shown in Figure 19 on

page 122. The only additional step required is to ensure that the ServerIron ADX connected to the

external network does not load balance return traffic to the addresses the firewalls use for NAT. For

example, ServerIron ADX A in

Figure 19 on page 122 must be configured so that it does not load

balance return traffic to 192.168.2.10/24 or 192.168.2.3/24.

To prevent the ServerIron ADX from load balancing the NAT addresses, you can use either of the

following methods. Each method is equally valid and only one of the methods is required. You need

to use one of these methods only on the ServerIron ADX connected to the external network, not the

ServerIron ADX on the internal side of the network. Consider the following methods:

• Configure the NAT addresses as firewall addresses, but do not configure paths for the

addresses.

• Configure IP access policies (filters) to deny load balancing for traffic addressed to the NAT

addresses.

NOTE

In FWLB configurations, the IP policies do not block traffic altogether. They deny load balancing

for the traffic. Thus, the ServerIron ADX does not load balance packets addressed to the NAT

addresses, but instead sends the traffic only to the firewall that originally sent the traffic.

Commands on active ServerIron ADX A (external active)

The following commands add a management IP address and default gateway address to the

ServerIron ADX. For the configuration in this example, the ServerIron ADX needs to be in only one

sub-net, so additional IP addresses are not added. However, the IP address must be in the same

sub-net as the ServerIron ADX’s interface to the Layer 3 firewalls.

SI-ActiveA(config)# ip address 192.168.1.10/24

SI-ActiveA(config)# ip default-gateway 192.168.1.2

The following commands configure the ports for the connection to the standby ServerIron ADX in a

separate port-based VLAN. This is required.

SI-ActiveA(config)# vlan 10 by port

SI-ActiveA(config-vlan-10)# untagged 5 to 6

SI-ActiveA(config-vlan-10)# exit

The trunk command creates a trunk group for the ports that connect this ServerIron ADX to its

partner. Using a trunk group for the link between the active and standby ServerIron ADXs is not

required, but using a trunk group adds an additional level of redundancy for enhanced availability.

If one of the ports in a trunk group goes down, the link remains intact as long as the other port

remains up. Since the trunk group is between two ServerIron ADX switches, make sure you

configure a switch trunk group, not a server trunk group.

SI-ActiveA(config)# trunk switch ethernet 5 to 6

SI-ActiveA(config)# trunk deploy

The server router-port command identifies the port that connects this ServerIron ADX to the router

connected to the other ServerIron ADX in the active-standby pair.

SI-ActiveA(config)# server router-port 8