Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

141

142

143

144

145

146

147

148

149

150

132 ServerIron ADX Firewall Load Balancing Guide

53-1002436-01

Configuration example for IronClad FWLB with Layer 3 NAT firewalls

DRAFT: BROCADE CONFIDENTIAL

Commands on standby ServerIron ADX A (external standby)

SI-StandbyA(config)# ip address 192.168.2.10/24

SI-StandbyA(config)# ip default-gateway 192.168.2.2

SI-StandbyA(config)# vlan 10 by port

SI-StandbyA(config-vlan-10)# untagged 5 to 6

SI-StandbyA(config-vlan-10)# exit

SI-StandbyA(config)# trunk switch ethernet 5 to 6

SI-StandbyA(config)# trunk deploy

SI-StandbyA(config)# server router-port 8

SI-StandbyA(config)# server fw-port 5

SI-StandbyA(config)# server fw-name fw2-1 192.168.2.2

SI-StandbyA(config-rs-fw2-1)# exit

SI-StandbyA(config)# server fw-name fw2-2 192.168.2.3

SI-StandbyA(config-rs-fw2-2)# exit

SI-StandbyA(config)# server fw-group 2

SI-StandbyA(config-fw-2)# sym-priority 1

SI-StandbyA(config-fw-2)# fw-name fw1

SI-StandbyA(config-fw-2)# fw-name fw2

SI-StandbyA(config-fw-2)# fwall-info 1 1 3.3.3.20 192.168.2.2

SI-StandbyA(config-fw-2)# fwall-info 2 2 3.3.3.20 192.168.2.3

SI-StandbyA(config-fw-2)# fwall-info 3 1 4.4.4.20 192.168.2.2

SI-StandbyA(config-fw-2)# fwall-info 4 2 4.4.4.20 192.168.2.3

SI-StandbyA(config-fw-2)# fwall-info 5 8 192.168.2.1 192.168.2.1

SI-StandbyA(config-fw-2)# exit

SI-StandbyA(config)# vlan 1

SI-StandbyA(config-vlan-1)# static-mac-address abcd.4321.a53d ethernet 2 priority

1 router-type

SI-StandbyA(config-vlan-1)# static-mac-address abcd.4321.2499 ethernet 1 priority

1 router-type

SI-StandbyA(config-vlan-1)# exit

SI-StandbyA(config)# write memory

Alternative configuration for standby ServerIron ADX A

The previous example configures FWLB for NAT firewalls by adding firewall definitions for the IP

addresses the NAT service on the firewalls uses for traffic sent from a client inside the firewalls to a

destination outside the firewalls.

Alternatively, you can configure IP access policies that deny load balancing for the NAT addresses.

For the example in

Figure 19 on page 122, you would enter the following commands.

SI-StandbyA(config)# ip filter 1 deny any 192.168.2.3 255.255.255.255

SI-StandbyA(config)# ip filter 2 deny any 192.168.3.2 255.255.255.255

SI-StandbyA(config)# ip filter 1024 permit any any

The first two commands configure policies to deny load balancing for the two NAT addresses. The

third command allows all other traffic to be load balanced.

NOTE

The third policy, which permits all traffic, is required because once you define an access policy, the

default action for packets that do not match a policy is to deny themfire wallshus, if you configure

only the first two policies and not the third one, you actually disable load balancing altogether by

denying the load balancing for all packets.

The other commands are the same as in the previous section.