Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
21222324252627282930
ServerIron ADX Firewall Load Balancing Guide 17
53-1002436-01
DRAFT: BROCADE CONFIDENTIAL
Chapter
2
Configuring Basic FWLB
In this chapter
Configuring basic Layer 3 FWLB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuration guidelines . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configuration example for basic Layer 3 FWLB. . . . . . . . . . . . . . . . . . . . . . . 22
Configuration examples with Layer 3 routing support . . . . . . . . . . . . . . . . . 25
Configuring basic Layer 3 FWLB
This chapter describes how to implement the following commonly used configurations:
Basic FWLB (configuration without ServerIron ADX redundancy)
IronClad (active-active configuration with ServerIron ADX redundancy)
Basic FWLB uses a single ServerIron ADX on the enterprise side of the load balanced firewalls and
another ServerIron ADX on the Internet side.
Figure 2 on page 11 shows an example of this type of
configuration.
Configuration guidelines
Use the following guidelines when configuring a ServerIron ADX for FWLB:
The ServerIron ADX supports two firewall groups, group 2 for IPv4 and group 4 for IPv6. All IPv4
ServerIron ADX ports must only belong to group 2 and all IPv6 ServerIron ADX ports must only
belong to group 4.
The ServerIron ADX must be able to reach the firewalls at Layer 2. Therefore, the firewalls must
be either directly attached to the ServerIron ADX or connected through a Layer 2 switch.
Static MAC entries for firewall interfaces are required. This is especially critical when the
upstream Internet-side routers use the firewall interface as the next hop for reaching internal
networks. These static entries are not necessary with ServerIron ADX router software and
should not be used when a firewall path definition uses dynamic ports.
Use "dynamic ports" with firewall path definitions when the firewall interface MAC address can
be learned over different physical ports by the ServerIron ADX. Dynamic ports are only
supported using IPv4 address formats.