Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
81828384858687888990
72 ServerIron ADX Firewall Load Balancing Guide
53-1002436-01
Configuring basic multizone FWLB
4
DRAFT: BROCADE CONFIDENTIAL
On the DMZ ServerIron ADXs, configure zone definitions for the zones in the internal network
and other DMZs, if applicable.
On the internal ServerIron ADXs, configure zone definitions for the zones in the DMZs, and
other internal networks, if applicable.
Generally, each ServerIron ADX should contain definitions for two less zones than the total number
of zones in the network. The two zones you leave out are zone 1 (which remains undefined) and the
zone the ServerIron ADX itself is in. If you are configuring a ServerIron ADX in zone 1, leave out
configuration information for zone 1 and one of the other zones.
Configuring basic multizone FWLB
Figure 13 shows an example of a basic multizone FWLB configuration. In this example, each
ServerIron ADX is in a separate zone:
ServerIron ADX Zone1-SI is in zone 1. By default, zone 1 contains all IP addresses that are not
members of other, user-configured zones. You can explicitly configure zone 1 but it is not
necessary. In the CLI configuration example for this configuration, zone 1 is not configured.
ServerIron ADX Zone1-SI contains zone definitions for zone 2 (the DMZ zone) but not for zone 1
or zone 3.
ServerIron ADX Zone2-SI is in zone 2 (the “DMZ” zone in this example). Zone 2 contains IP
addresses in the range 209.157.25.0/24 through 209.157.25.255/24. This ServerIron ADX
contains configuration information for zone 3 (the internal network zone) but does not contain
definitions for zone 1 (the external network zone) or zone 2 (the DMZ zone itself).
ServerIron ADX Zone3-SI is in zone 3 (the “internal network” zone in the example). Zone 3
contains IP addresses in the range 209.157.23.0/24 through 209.157.23.255/24. This
ServerIron ADX contains configuration information for zone 2 (the DMZ zone) but does not
contain definitions for zone 1 (the external network zone) or zone 3 (the internal network zone
itself).
When one of the ServerIron ADXs receives traffic with the destination IP address in another zone,
the ServerIron ADX selects a path for the traffic based on the zone the destination IP address is in.
For example, if a client on the Internet sends traffic addressed to a server in zone 2, ServerIron ADX
Zone1-SI selects a path that sends the traffic through a firewall to ServerIron ADX Zone2-SI, which
forwards the traffic to the server. (ServerIron ADX Zone2-SI can be configured to load balance
traffic across multiple servers or can simply be used as a Layer 2 switch to forward the traffic to the
server.)
When ServerIron ADX Zone2-SI forwards the server’s reply to the client, the ServerIron ADX selects
a path to ServerIron ADX Zone1-SI. ServerIron ADX Zone2-SI knows the traffic goes to zone 1
because the destination IP address of the traffic is not in its own sub-net (zone 2) or in zone 3.