53-1002335-01 30 May 2012 ServerIron Traffic Works Firewall and Load Balancing Guide Supporting ServerIron TrafficWorks version 10.2.
Copyright © 2012 Brocade Communications Systems, Inc. All Rights Reserved. Brocade, Brocade Assurance, the B-wing symbol, DCX, Fabric OS, MLX, SAN Health, VCS, and VDX are registered trademarks, and AnyIO, Brocade One, CloudPlex, Effortless Networking, ICX, NET Health, OpenScript, and The Effortless Network are trademarks of Brocade Communications Systems, Inc., in the United States and/or in other countries. Other brands, products, or service names mentioned may be trademarks of their respective owners.
Contents CHAPTER 1 ABOUT THIS GUIDE ..................................................................................... 1-1 AUDIENCE ..................................................................................................................................................1-1 CONVENTIONS ............................................................................................................................................1-1 RELATED DOCUMENTATION ................................................
Firewall Load Balancing Guide CHAPTER 4 CONFIGURING BASIC FWLB ....................................................................... 4-1 CONFIGURING BASIC LAYER 3 FWLB ..........................................................................................................4-1 CONFIGURING BASIC LAYER 3 FWLB ...................................................................................................4-1 ENABLING FWLB....................................................................................
COMMANDS ON SERVERIRON SI-EXT-A........................................................................................ 5-13 COMMANDS ON SERVERIRON SI-EXT-B........................................................................................ 5-15 COMMANDS ON SERVERIRON SI-INT-A ......................................................................................... 5-16 COMMANDS ON SERVERIRON SI-INT-B .........................................................................................
Firewall Load Balancing Guide SPECIFYING THE PARTNER PORT ........................................................................................................7-10 SPECIFYING THE ROUTER PORTS .......................................................................................................7-10 DEFINING THE FIREWALLS AND ADDING THEM TO THE FIREWALL GROUP ..............................................7-11 CONFIGURING PATHS AND ADDING STATIC MAC ENTRIES FOR LAYER 3 FIREWALLS ..........................
CHAPTER 10 CONFIGURING FWLB FOR LAYER 2 FIREWALLS ........................................ 10-1 CONFIGURING FWLB FOR LAYER 2 FIREWALLS .........................................................................................10-1 CONFIGURING A SWITCH TRUNK GROUP FOR THE FIREWALL PORTS ....................................................10-3 SPECIFYING THE PARTNER PORT ........................................................................................................10-3 SPECIFYING THE ROUTER PORTS .....
Firewall Load Balancing Guide viii © 2012 Brocade Communications Systems, Inc.
Chapter 1 About this Guide This guide describes the features of provides configuration procedures for the Firewall Load Balancing features of the Brocade® ServerIron devices. Audience This guide is intended for network engineers with a basic knowledge of switching, routing, and application traffic management. Conventions This guide uses the following typographical conventions to describe information: Italic Highlights the title of another publication or emphasizes a word or phrase.
Firewall Load Balancing Guide • ServerIron TrafficWorks Graphical User Interface – provides details on the graphical user interface for the ServerIron family of application delivery controllers. • ServerIron TrafficWorks Server Load Balancing Guide – describes basic Server Load Balancing configurations for the ServerIron product family.
Chapter 2 New Features and Enhancements This chapter lists new ServerIron features by release, and directs you to their descriptions in the documentation. This chapter contains information about the following releases: • “Software Dependencies for Hardware Platforms” on page 2-1 Software Dependencies for Hardware Platforms • The ServerIron WSM7 management module requires software release 09.4.00l or later. • 3-slot chassis (GT-C series or SI 350) is supported from software release 09.4.00g onwards.
Firewall Load Balancing Guide 2-2 © 2012 Brocade Communications Systems, Inc.
Chapter 3 ServerIron FWLB Overview Firewall Load Balancing (FWLB) allows the ServerIron to balance traffic on multiple firewalls. The ServerIron supports the following FWLB topologies: Basic FWLB, High Availability (HA) FWLB, and Multizone FWLB. NOTE: The ServerIron does not currently support the following topologies: FWLB + NAT, FWLB + Layer 7, FWLB + SYN Proxy.
Firewall Load Balancing Guide • “Static Route Environments” on page 3-2 • “Layer 2 Firewall Environments” on page 3-2 Synchronous Firewall Environments In general, firewalls that are synchronized allow the in and out traffic of conversations to pass through multiple firewalls. The firewalls exchange information about the conversation so that the inbound or outbound traffic for the conversation does not need to be revalidated each time it tries to use a different firewall.
ServerIron FWLB Overview Figure 3.1 shows an example of FWLB paths. Figure 3.
Firewall Load Balancing Guide Hashing Mechanism The ServerIrons use the path information along with the hash-mask value for each source-destination pair of IP addresses in the user traffic to consistently send the same source-destination pairs through the same paths. For FWLB, the hash mask must be set to all ones (255.255.255.255 255.255.255.255) to ensure that a given sourcedestination pair always goes down the same path.
ServerIron FWLB Overview The pings are required because a ServerIron can use link-state information to detect when the local link (a link directly attached to a ServerIron port) in a path goes down, but cannot detect when the remote link in the path goes down. If the other ServerIron fails to respond to a ping on a specific port, the ServerIron that sent the ping tries two more times, then determines that the remote link in the path must be down.
Firewall Load Balancing Guide TCP or UDP health check to the firewall. Layer 4 health checks are enabled by default. However, you can disable the Layer 4 health checks globally or on individual application on individual firewalls. The ServerIron performs the Layer 4 TCP and UDP health checks as follows: • • TCP health check – The ServerIron checks the TCP port’s health based on a TCP three-way handshake: • The ServerIron sends a TCP SYN packet to the port on the firewall.
ServerIron FWLB Overview Figure 3.2 Basic FWLB Topology Internet Router SI-A Layer 3 Firewall-1 Layer 3 Firewall-2 SI-C Internal Router As shown in this example, each ServerIron is configured with paths through the firewalls to the other ServerIron. The ServerIrons use these paths as part of the load balancing mechanism to ensure that traffic for a given IP source and IP destination always passes through the same firewall. All FWLB configurations require paths.
Firewall Load Balancing Guide Figure 3.3 HA FWLB Topology External Router SI-B SI-A Layer 3 Firewall-1 Layer 3 Firewall-2 SI-C SI-D SI- Internal Router In this example, clients access the application servers on the private network through one of two routers, each of which is connected to a ServerIron. The ServerIrons create session entries for new traffic flows, including assignment of a firewall.
ServerIron FWLB Overview active-standby partner, failover to the standby ServerIron occurs. At this point, the standby ServerIron remains active only so long as the number of good paths meets or exceeds the minimums you have configured. Only if the number of paths is less than the configured minimum and less than the number of available paths on the other ServerIron does failover occur.
Firewall Load Balancing Guide In this example, Figure 3.5 shows an example of Multizone HA FWLB. Figure 3.5 Multizone HA FWLB External Router Zone 1 SI-B SI-A Layer 3 Firewall-1 SI-C SI-D Zone 2 Layer 3 Firewall-2 SI- SI- Zone 3 Internal Router DMZ Router Configuration Guidelines NOTE: Move the following to the configuration chapter Use the following guidelines when configuring a ServerIron for FWLB. • The ServerIron supports one firewall group, group 2.
ServerIron FWLB Overview 1. In releases 07.2.xx and 08.x.xx, global firewall policies must be configured for FWLB. Beginning with release 09.3.01, firewall policies are not required. Instead of firewall polices, you must configure the client-interface and server-interface commands on the interfaces to distribute traffic to WSM CPUs. Refer to the Release Notes for release 09.0.00 or to the ServerIron Chassis L4-7 Configuration Guide for more information on these two commands. 2.
Firewall Load Balancing Guide FWLB Configuration Limits Table 3.1 contains the FWLB configuration limits supported by the ServerIron. Table 3.1: FWLB Configuration Limits 3 - 12 Maximum Firewall Groups Maximum Firewalls Maximum Paths Maximum Zones Maximum Router Paths 1 (group 2) 16 32 3 (internal, external, dmz) 4 © 2012 Brocade Communications Systems, Inc.
Chapter 4 Configuring Basic FWLB This chapter describes how to implement commonly used configurations for the following: • Basic FWLB (configuration without ServerIron redundancy) • IronClad (active-standby configuration with ServerIron redundancy) Configuring Basic Layer 3 FWLB Basic FWLB uses a single ServerIron on the enterprise side of the load balanced firewalls and another ServerIron on the Internet side. Figure 3.2 on page 3-7 shows an example of this type of configuration.
Firewall Load Balancing Guide NOTE: The user interface allows you to enable FWLB locally instead of globally. However, local policies are not applicable to FWLB. Enable the feature globally. To enable FWLB globally, use the following method.
Configuring Basic FWLB This command changes the CLI to firewall group configuration level. The firewall group number is 2. Only one firewall group is supported. Syntax: [no] fw-name Adds a configured firewall to the firewall group. Configuring the Paths and Adding Static MAC Entries A path is configuration information the ServerIron uses to ensure that a given source and destination IP pair is always authenticated by the same Layer 3 firewall.
Firewall Load Balancing Guide ServerIron(config)# write mem Commands for ServerIron B (Internal) ServerIron(config)# server fw-group 2 ServerIron(config-tc-2)# fwall-info 1 1 209.157.22.2 209.157.23.1 ServerIron(config-tc-2)# fwall-info 2 2 209.157.22.2 209.157.23.2 ServerIron(config-tc-2)# exit ServerIron(config)# static-mac-address abcd.4321.34e2 ethernet 1 high-priority router-type ServerIron(config)# static-mac-address abcd.4321.
Configuring Basic FWLB The following commands configure parameters for firewall group 2. The fwall-info commands configure the paths for the firewall traffic. Each path consists of a path ID, the ServerIron port attached to the firewall, the IP address of the ServerIron at the other end of the path, and the next-hop IP address (usually the firewall interface connected to this ServerIron).
Firewall Load Balancing Guide ServerIronB(config)# router-type ServerIronB(config)# ServerIronB(config)# ServerIronB(config)# static-mac-address abcd.4321.34e3 ethernet 2 high-priority ip policy 1 fw tcp 0 global ip policy 2 fw udp 0 global write memory Configuration Examples with Layer 3 Routing Support NOTE: Layer 3 routing is supported only on ServerIron Chassis devices running software release 08.0.00 or later.
Configuring Basic FWLB Figure 4.1 Basic FWLB in One Subnet Client IP:10.10.1.15 Gtwy:10.10.1.111 or 10.10.1.5 Port 4/3 External ServerIron Port 4/1 IP:10.10.1.5 MAC:00.80.c8.b9.ab.a9 Layer 3 Firewall-1 SI-A Port 4/2 VLAN 1 Virtual Interface: 10.10.1.111 Default Route: 10.10.1.5 Default Route: 10.10.2.5 VLAN 1 Virtual Interface: 10.10.2.222 Port 4/2 Port 4/1 IP:10.10.2.5 MAC:00.80.c8.b9.ab.aa Internal ServerIron IP:10.10.1.6 MAC:00.80.c8.b9.91.09 Layer 3 Firewall-2 IP:10.10.2.6 MAC:00.80.c8.b9.91.
Firewall Load Balancing Guide SI-External(config-rs-fw1)# exit SI-External(config)# server fw-name fw2 10.10.1.6 SI-External(config-rs-fw2)# port http SI-External(config-rs-fw2)# exit The following commands add the firewall definitions to the firewall port group (always group 2). The firewall group contains all the ports in VLAN 1 (the default VLAN).
Configuring Basic FWLB Commands on the Internal ServerIron ServerIron> enable ServerIron# configure terminal ServerIron(config)# hostname SI-Internal SI-Internal(config)# vlan 1 SI-Internal(config-vlan-1)# router-interface ve 1 SI-Internal(config-vlan-1)# exit SI-Internal(config)# interface ve 1 SI-Internal(config-ve-1)# ip address 10.10.2.222 255.255.255.0 SI-Internal(config-ve-1)# exit SI-Internal(config)# ip route 0.0.0.0 0.0.0.0 10.10.2.5 SI-Internal(config)# server fw-name fw1 10.10.2.
Firewall Load Balancing Guide Figure 4.2 Basic FWLB in Multiple Sub-nets Using Multiple Routing Interfaces Client IP:10.10.7.15 Gtwy:10.10.7.101 External ServerIron Virtual Routing Interface 2 10.10.7.101 SI-A Virtual Routing Interface 1 10.10.1.111 Layer 3 Firewall-1 Layer 3 Firewall-2 Virtual Routing Interface 1 10.10.2.222 Internal ServerIron SI-C IP:10.10.5.40 Gtwy:10.10.5.101 Virtual Routing Interface 2 10.10.5.
Configuring Basic FWLB The following command configures an IP default route. The first two "0.0.0.0" portions of the address are the IP address and network mask. Always specify zeroes when configuring an IP default route. The third value is the IP address of the next-hop gateway for the default route. In most cases, you can specify the IP address of one of the firewalls as the next hop. Specifying the default route is the Layer 3 equivalent of specifying the default gateway.
Firewall Load Balancing Guide SI-Internal(config-vlan-10)# untagged ethernet 4/1 to 4/4 SI-Internal(config-vlan-10)# router-interface ve 1 SI-Internal(config-vlan-10)# exit SI-Internal(config)# interface ve 1 SI-Internal(config-ve-1)# ip address 10.10.2.222 255.255.255.
Chapter 5 Configuring HA FWLB High Availability (HA) FWLB allows the ServerIron Chassis device to actively load balance traffic and provide enhanced performance.
Firewall Load Balancing Guide the other ServerIron does not need to create a new session for the same traffic flow. • If the ServerIron already has a session entry for the packet, the ServerIron forwards the traffic to the firewall in the session entry. All packets with the same source and destination addresses are forwarded to the same firewall.
Configuring HA FWLB • To change the UDP age timer, enter the server udp-age command at the global CONFIG level of the CLI. NOTE: SLB uses the same values for the sticky age, TCP age, and UDP age timers. If you change a timer, the change applies to both SLB and FWLB. Health Checks The ServerIron regularly checks the health of the firewall and router paths, and of the applications on the firewalls, if you add applications to the firewall configurations.
Firewall Load Balancing Guide • • The ServerIron sends a TCP SYN packet to the port on the firewall. • The ServerIron expects the firewall to respond with a SYN ACK. • If the ServerIron receives the SYN ACK, the ServerIron sends a TCP RESET, satisfied that the TCP port is alive. UDP health check – The ServerIron sends a UDP packet with garbage (meaningless) data to the UDP port: • If the firewall responds with an ICMP “Port Unreachable” message, the ServerIron concludes that the port is not alive.
Configuring HA FWLB NOTE: Active-Active operation is not the same thing as the always-active feature. The always-active feature is used to simplify the topology of high-availability FWLB configurations, and can be used in an Active-Active configuration. Figure 5.1 shows an example of ServerIron Chassis device configured for high-availability FWLB. Figure 5.1 HA FWLB for Layer 3 Firewalls Client 10.10.6.23 Client 10.10.6.22 External Router A External Router B VRRP VRRP Address 10.10.1.
Firewall Load Balancing Guide A management station attached to one of the ServerIrons on the private side of the firewalls provides Telnet management access to all four ServerIrons. To implement the Active-Active FWLB configuration shown in Figure 5.1, perform the following tasks on each ServerIron. Table 5.1: Configuration tasks – Active-Active FWLB Task See page...
Configuring HA FWLB ServerIron(config)# ip address 10.10.1.111 255.255.255.0 ServerIron(config)# ip default-gateway 10.10.1.101 Syntax: ip address or Syntax: ip address / Syntax: ip default-gateway Configuring the Partner Port When you configure the ServerIron for IronClad FWLB, you need to specify the port number of the dedicated synchronization link between the ServerIron and its active-active partner.
Firewall Load Balancing Guide NOTE: To define multiple router ports on a switch, enter the port numbers, separated by blanks. You can enter up to eight router ports in a single command line. To enter more than eight ports, enter the server router-ports command again with the additional ports. If the link is a trunk group, specify the port number of the primary port. The primary port is the first port in the trunk group.
Configuring HA FWLB • snmp – port 161 • ssl – port 443 • telnet – port 23 • tftp – port 69 The no-health-check parameter disables the Layer 4 path heath check for this application port. Layer 4 health checks are enabled by default.
Firewall Load Balancing Guide Adding the Firewalls to the Firewall Group To add the firewalls to the firewall group, enter commands such as the following: ServerIron(config-rs-FW1)# exit ServerIron(config)# server fw-group-2 ServerIron(config-tc-2)# fw-name FW1 ServerIron(config-tc-2)# fw-name FW2 Syntax: server fw-group 2 This command changes the CLI to firewall group configuration level. The firewall group number is 2. Only one firewall group is supported.
Configuring HA FWLB • The max-conn reached for that firewall • Connection rate is exceeded for the firewall or the firewall port Connection rate can be specified at the FW level or a FW port level.
Firewall Load Balancing Guide ServerIron(config-tc-2)# fwall-info 5 4/12 10.10.1.101 10.10.1.101 Syntax: [no] fwall-info To configure the static MAC address entries for ServerIron SI-Ext-A in Figure 5.1, enter the following commands: ServerIron(config-tc-2)# vlan 1 ServerIron(config-vlan-1)# static-mac-address 0050.da92.08fc ethernet 4/5 priority 1 router-type ServerIron(config-vlan-1)# static-mac-address 0050.da8d.
Configuring HA FWLB NOTE: This step is applicable only if you are running a software release earlier than 07.2.20 and the chassis is using more than one forwarding module. To display the WSM CPU allocations, enter the show wsm-map command.
Firewall Load Balancing Guide SI-Ext-A(config-vlan-1)# no spanning-tree SI-Ext-A(config-vlan-1)# exit The commands above enable the always-active feature and disable the Spanning Tree Protocol (STP) in VLAN 1, which contains the ports that will carry the FWLB traffic.
Configuring HA FWLB NOTE: The wsm wsm-map command is required only if the chassis is using more than one forwarding module. SI-Ext-A(config)# ip policy 1 fw tcp 0 global SI-Ext-A(config)# ip policy 2 fw udp 0 global SI-Ext-A(config)# write memory SI-Ext-A(config)# end SI-Ext-A# reload The commands above enable FWLB, save the configuration changes to the startup-config file, and reload the software. NOTE: FWLB becomes active as soon as you enable it.
Firewall Load Balancing Guide SI-Ext-B(config)# write memory SI-Ext-B(config)# end SI-Ext-B# reload Commands on ServerIron SI-Int-A ServerIron> enable ServerIron# configure terminal ServerIron(config)# hostname SI-Int-A SI-Int-A(config)# ip address 10.10.2.222 255.255.255.0 SI-Int-A(config)# ip default-gateway 10.10.2.
Configuring HA FWLB SI-Int-B(config)# trunk switch ethernet 4/5 to 4/6 SI-Int-B(config)# trunk switch ethernet 4/13 to 4/14 SI-Int-B(config)# vlan 1 SI-Int-B(config-vlan-1)# always-active SI-Int-B(config-vlan-1)# no spanning-tree SI-Int-B(config-vlan-1)# exit SI-Int-B(config)# vlan 2 name sync_link by port SI-Int-B(config-vlan-2)# untagged ethernet 4/13 to 4/14 SI-Int-B(config-vlan-2)# no spanning-tree SI-Int-B(config-vlan-2)# exit SI-Int-B(config)# server fw-port 4/13 SI-Int-B(config)# server router-ports
Firewall Load Balancing Guide Figure 5.2 Active-Active FWLB Topology Client 2 40.40.1.1/24 Client 1 30.30.1.1/16 External Router 1 100.100.100.1/24 External Router 2 100.100.100.2/24 20.20.8.120/24 20.20.1.120/24 Synch Link Trunk eth 2/7 - 2/8 20.20.1.0/24 Network SI-A Mgmt IP: 20.20.1.111 SI-B Mgmt IP: 20.20.8.111 20.20.8.0/24 Network OSPF Area 1 20.20.1.1 20.20.8.1 20.20.1.2 20.20.8.2 10.10.2.2 10.10.2.1 10.10.8.2 20.20.1.3 10.10.2.1 20.20.1.4 20.20.8.4 10.10.2.4 10.10.8.
Configuring HA FWLB SI-StandbyA(config)# module 2 bi-jc-8-port-gig-module SI-StandbyA(config)# module 3 bi-jc-16-port-gig-copper-module SI-StandbyA(config)# trunk switch ethernet 2/7 to 2/8 SI-StandbyA(config)# server fw-port 2/7 SI-StandbyA(config)# server router-ports ethernet 2/1 SI-StandbyA(config)# server fw-name fw1 20.20.1.1 SI-StandbyA(config-rs-FW1)# other-ip 20.20.8.
Firewall Load Balancing Guide SI-StandbyA(config-vlan-999)# untagged ethernet 2/7 to 2/8 SI-StandbyA(config-vlan-999)# no spanning-tree SI-StandbyA(config-vlan-999)# exit SI-StandbyA(config)# hostname Ext-SI-A SI-StandbyA(config)# ip address 20.20.1.111 255.255.255.0 SI-StandbyA(config)# ip default-gateway 20.20.1.
Configuring HA FWLB SI-StandbyB(config-rs-tc-2)# fwall-info 9 2/1 20.20.8.120 20.20.8.120 SI-StandbyB(config-rs-tc-2)# fw-predictor per-service-least-conn SI-StandbyB(config-rs-tc-2)# exit SI-StandbyB(config)# vlan 1 name DEFAULT-VLAN by port SI-StandbyB(config-vlan-1)# always-active SI-StandbyB(config-vlan-1)# no spanning-tree SI-StandbyB(config-vlan-1)# static-mac-address 0004.80ed.17b4 ethernet 1 router-type SI-StandbyB(config-vlan-1)# static-mac-address 0004.80f0.
Firewall Load Balancing Guide SI-ActiveC(config-rs-FW4)# exit SI-ActiveC(config-rs-FW4)# server fw-group 2 SI-ActiveC(config-tc-2)# l2-fwall SI-ActiveC(config-tc-2)# sym-priority 250 SI-ActiveC(config-tc-2)# fw-name fw1 SI-ActiveC(config-tc-2)# fw-name fw2 SI-ActiveC(config-tc-2)# fw-name fw3 SI-ActiveC(config-tc-2)# fw-name fw4 SI-ActiveC(config-tc-2)# fwall-info 1 3/1 20.20.1.111 10.10.2.1 SI-ActiveC(config-tc-2)# fwall-info 2 3/2 20.20.1.111 10.10.2.2 SI-ActiveC(config-tc-2)# fwall-info 3 3/3 20.20.1.
Configuring HA FWLB SI-ActiveD(config-rs-FW2)# other-ip 10.10.2.2 SI-ActiveD(config-rs-FW2)# port http SI-ActiveD(config-rs-FW2)# port http no-health-check SI-ActiveD(config-rs-FW2)# port http url "HEAD /" SI-ActiveD(config-rs-FW2)# exit SI-ActiveD(config)# server fw-name fw3 10.10.8.3 SI-ActiveD(config-rs-FW3)# other-ip 10.10.2.
Firewall Load Balancing Guide Configuring Active-Active HA FWLB with VRRP NOTE: Layer 3 routing is supported only on ServerIron Chassis devices running software release 08.0.00 or later. This section shows examples of commonly used ServerIron IronClad FWLB deployments with Layer 3 configurations. The ServerIrons in these examples perform Layer 3 routing in addition to Layer 2 and Layer 4 – 7 switching.
Configuring HA FWLB Commands on External ServerIron A (SI-Ext-A) The following commands change the CLI to the global CONFIG level, then change the hostname to "SI-Ext-A". ServerIron> enable ServerIron# configure terminal ServerIron(config)# hostname SI-Ext-A The following commands enable the always-active feature and disable the Spanning Tree Protocol (STP) in VLAN 1, which contains the ports that will carry the FWLB traffic.
Firewall Load Balancing Guide SI-Ext-A(config-rs-fw1)# port http SI-Ext-A(config-rs-fw1)# port http no-health-check SI-Ext-A(config-rs-fw1)# exit SI-Ext-A(config)# server fw-name fw2 10.10.1.2 SI-Ext-A(config-rs-fw2)# port http SI-Ext-A(config-rs-fw2)# port http no-health-check SI-Ext-A(config-rs-fw2)# exit The following commands add the firewall definitions to the firewall port group (always group 2). The firewall group contains all the ports in VLAN 1 (the default VLAN).
Configuring HA FWLB commands in this example assign traffic on the forwarding modules in slots 3 and 4 to WSM CPU 1 on the Web Switching Management Module in slot 2. SI-Ext-A(config)# wsm wsm-map slot 3 wsm-slot 2 wsm-cpu 1 SI-Ext-A(config)# wsm wsm-map slot 4 wsm-slot 2 wsm-cpu 1 NOTE: For simplicity, the configuration of the other ServerIrons in this example do not include wsm wsm-map commands.
Firewall Load Balancing Guide SI-Ext-B(config-rs-fw1)# port http no-health-check SI-Ext-B(config-rs-fw1)# exit SI-Ext-B(config)# server fw-name fw2 10.10.1.2 SI-Ext-B(config-rs-fw2)# port http SI-Ext-B(config-rs-fw2)# port http no-health-check SI-Ext-B(config-rs-fw2)# exit SI-Ext-B(config)# server fw-group 2 SI-Ext-B(config-tc-2)# fw-name fw1 SI-Ext-B(config-tc-2)# fw-name fw2 SI-Ext-B(config-tc-2)# sym-priority 1 SI-Ext-B(config-tc-2)# fwall-info 1 3/1 10.10.2.222 10.10.1.
Configuring HA FWLB SI-Int-A(config-rs-fw1)# exit SI-Int-A(config)# server fw-name fw2 10.10.2.2 SI-Int-A(config-rs-fw2)# port http SI-Int-A(config-rs-fw2)# port http no-health-check SI-Int-A(config-rs-fw2)# exit SI-Int-A(config)# server fw-group 2 SI-Int-A(config-tc-2)# fw-name fw1 SI-Int-A(config-tc-2)# fw-name fw2 SI-Int-A(config-tc-2)# sym-priority 255 SI-Int-A(config-tc-2)# fwall-info 1 4/1 10.10.1.111 10.10.2.1 SI-Int-A(config-tc-2)# fwall-info 2 3/2 10.10.1.111 10.10.2.
Firewall Load Balancing Guide SI-Int-B(config-tc-2)# fwall-info 2 4/10 10.10.1.111 10.10.2.2 SI-Int-B(config-tc-2)# fwall-info 3 3/2 10.10.1.112 10.10.2.1 SI-Int-B(config-tc-2)# fwall-info 4 4/10 10.10.1.112 10.10.2.2 SI-Int-B(config-tc-2)# fw-predictor per-service-least-conn SI-Int-B(config-tc-2)# l2-fwall SI-Int-B(config-tc-2)# exit SI-Int-B(config)# vlan 1 SI-Int-B(config-vlan-1)# static-mac-address 00e0.5201.042e ethernet 3/2 priority 1 router-type SI-Int-B(config-vlan-1)# static-mac-address 00e0.5201.
Chapter 6 Configuring Multizone FWLB Multi-zone FWLB allows you to configure ServerIrons to forward packets based on the destination zone. For example, if your network consists of an Internet side, an internal side, and a Demilitarized Zone (DMZ) in between, you can configure ServerIrons to forward packets through the firewalls to the correct zone. When you configure multi-zone FWLB, you first identify a zone by configuring standard Access Control Lists (ACLs).
Firewall Load Balancing Guide in. If you are configuring a ServerIron in zone 1, leave out configuration information for zone 1 and one of the other zones. Configuring Basic Multi-Zone FWLB Figure 6.1 shows an example of a basic multi-zone FWLB configuration. In this example, each ServerIron is in a separate zone: • ServerIron Zone1-SI is in zone 1. By default, zone 1 contains all IP addresses that are not members of other, user-configured zones.
Configuring Multizone FWLB Figure 6.1 Basic multi-zone FWLB configuration Internet WAN Router Zone 1 209.157.24.250/24 Port 5 Note: When undefined, Zone 1 contains all addresses not in the other zones. SI-1 209.157.24.13/24 Port 16 Port 1 209.157.24.1/24 209.157.24.254/24 209.157.23.1/24 FW1 209.157.25.254/24 FW2 209.157.25.1/24 209.157.23.254/24 Port 1 Port 1 SI-2 209.157.25.15/24 Port 16 Port 16 SI-3 209.157.23.15/24 Port 5 Port 5 Zone 2 Zone 3 209.157.25.200/24 209.157.23.
Firewall Load Balancing Guide • • Configure the paths and add static MAC entries for the firewall interfaces with the ServerIron. Configure a separate path through each firewall to each ServerIron. You also need to configure a path from each ServerIron to the router(s) attached to the ServerIron. Save the configuration to the startup-config file.
Configuring Multizone FWLB ServerIron Zone1-SI receives a packet that is not addressed to the sub-net Zone1-SI is in, and is not addressed to a sub-net in zone 2, the ServerIron assumes that the packet is for an address in the other zone, zone 3. The ServerIron forwards the packet to the ServerIron in zone 3. Zone1-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.
Firewall Load Balancing Guide Zone1-SI(config)# static-mac-address abcd.5200.0b50 ethernet 16 high-priority router-type Each command includes the MAC address of the firewall’s interface with the ServerIron and the ServerIron port that is connected to the firewall. The high-priority and router-type parameters identify the MAC entry type and are required. NOTE: The syntax for the static-mac-address command is slightly different on ServerIron Chassis devices.
Configuring Multizone FWLB Zone2-SI(config)# exit Zone2-SI# reload Commands on Zone3-SI in Zone 3 The following commands configure ServerIron “Zone3-SI” in zone 3 in Figure 6.2 on page 6-8. The configuration is similar to the ones for the other ServerIrons, with the following exceptions: • The management IP address is different. • The default gateway goes to an interface on FW2. • The paths are different due to the ServerIron’s placement in the network.
Firewall Load Balancing Guide This example also uses a simplified topology. Instead of using Layer 2 switches and redundant links to provide failover data paths from the devices on the left side to the devices on the right side, this configuration uses additional links between the ServerIrons. The L2-fwall and always-active options enable you to use this type of simplified topology.
Configuring Multizone FWLB • Configure a standard ACL for each zone the ServerIron is not a member of, except zone 1. The ACLs identify the IP addresses or address ranges in the other zones. If you leave zone 1 undefined, all IP addresses that are not in this ServerIron’s own sub-net and are not members of zones configured on the ServerIron, are assumed to be members of zone 1. If the ServerIron is a member of zone 1, configure a standard ACL for all but one of the other zones.
Firewall Load Balancing Guide In this configuration, the default gateway for each ServerIron is the IP address of the firewall interface with that ServerIron. In this case, the IP address is the address of firewall FW1’s interface with this ServerIron. ServerIron(config)# hostname Zone1-SI-A Zone1-SI-A(config)# ip address 209.157.24.13 255.255.255.0 Zone1-SI-A(config)# ip default-gateway 209.157.24.1 The following command disables the Spanning Tree Protocol (STP).
Configuring Multizone FWLB example, if each ServerIron in Figure 6.2 on page 6-8 had links to both routers in its zone and also to both firewalls, and if Layer 2 switches were added to the configuration to allow STP to prevent Layer 2 loops, then it is possible that neither the l2-fwall nor the always-active option would be required. In the configuration in Figure 6.2 on page 6-8, each router and firewall is connected to only one of the two ServerIrons in an active-standby pair.
Firewall Load Balancing Guide The l2-fwall command enables the L2-fwall option. This option blocks the Layer 2 traffic on the standby ServerIrons. If you do not enable this mode, Layer 2 traffic can pass through the ServerIrons, causing loops. Layer 3 traffic is automatically blocked on the standby ServerIrons, so you do not need to explicitly block the traffic.
Configuring Multizone FWLB port-based VLAN and is not used in any of the paths. The private link on ports 9 and 10 in VLAN 2 is used only to exchange failover information. All traffic between zones uses the links in the default VLAN. Notice that the last path, unlike the other paths, has the same IP address for the destination and the next-hop for the path. This path is a router path and ends at the router itself.
Firewall Load Balancing Guide Zone1-SI-S(config)# server fw-port 9 Zone1-SI-S(config)# trunk switch ethernet 9 to 10 Zone1-SI-S(config)# vlan 10 by port Zone1-SI-S(config-vlan-10)# untagged 9 to 10 Zone1-SI-S(config-vlan-10)# exit Zone1-SI-S(config)# vlan 1 Zone1-SI-S(config-vlan-1)# always-active Zone1-SI-S(config-vlan-1)# exit Zone1-SI-S(config)# server fw-name FW1 209.157.24.1 Zone1-SI-S(config-rs-FW1)# exit Zone1-SI-S(config)# server fw-name FW2 209.157.24.
Configuring Multizone FWLB Zone2-SI-A(config)# ip policy 1 fw tcp 0 global Zone2-SI-A(config)# ip policy 2 fw udp 0 global Zone2-SI-A(config)# server router-ports 5 Zone2-SI-A(config)# server fw-port 9 Zone2-SI-A(config)# trunk switch ethernet 9 to 10 Zone2-SI-A(config)# vlan 10 by port Zone2-SI-A(config-vlan-10)# untagged 9 to 10 Zone2-SI-A(config-vlan-10)# exit Zone2-SI-A(config)# vlan 1 Zone2-SI-A(config-vlan-1)# always-active Zone2-SI-A(config-vlan-1)# exit Zone2-SI-A(config)# server fw-name FW1 209.
Firewall Load Balancing Guide Zone2-SI-S(config-vlan-1)# always-active Zone2-SI-S(config-vlan-1)# exit Zone2-SI-S(config)# server fw-name FW1 209.157.25.1 Zone2-SI-S(config-rs-FW1)# exit Zone2-SI-S(config)# server fw-name FW2 209.157.25.254 Zone2-SI-S(config-rs-FW2)# exit Zone2-SI-S(config)# access-list 3 permit 209.157.23.0 0.0.0.
Configuring Multizone FWLB Zone3-SI-A(config-tc-2)# fw-name FW1 Zone3-SI-A(config-tc-2)# fw-name FW2 Zone3-SI-A(config-tc-2)# l2-fwall Zone3-SI-A(config-tc-2)# sym-priority 1 Zone3-SI-A(config-tc-2)# fwall-info 1 1 209.157.24.13 209.157.23.1 Zone3-SI-A(config-tc-2)# fwall-info 2 1 209.157.24.14 209.157.23.1 Zone3-SI-A(config-tc-2)# fwall-info 3 16 209.157.24.13 209.157.23.254 Zone3-SI-A(config-tc-2)# fwall-info 4 16 209.157.24.14 209.157.23.254 Zone3-SI-A(config-tc-2)# fwall-info 5 1 209.157.25.15 209.157.
Firewall Load Balancing Guide Zone3-SI-S(config-tc-2)# fwall-info 6 16 209.157.25.16 209.157.23.1 Zone3-SI-S(config-tc-2)# fwall-info 7 1 209.157.25.15 209.157.23.1 Zone3-SI-S(config-tc-2)# fwall-info 8 1 209.157.25.16 209.157.23.254 Zone3-SI-S(config-tc-2)# fwall-info 9 5 209.157.23.15 209.157.23.15 Zone3-SI-S(config-tc-2)# exit Zone3-SI-S(config)# vlan 1 Zone3-SI-S(config-vlan-1)# static-mac-address abcd.5200.3489 ethernet 1 high-priority router-type Zone3-SI-S(config-vlan-1)# static-mac-address abcd.
Configuring Multizone FWLB Configuration Examples with Layer 3 Routing NOTE: Layer 3 routing is supported only on ServerIron Chassis devices running software release 08.0.00 or later. This section shows examples of commonly used ServerIron multizone FWLB deployments with Layer 3 configurations. The ServerIrons in these examples perform Layer 3 routing in addition to Layer 2 and Layer 4 – 7 switching.
Firewall Load Balancing Guide Figure 6.4 Multizone FWLB with One Sub-net and One Virtual Routing Interface When undefined, Zone 1 contains all addresses not in the other zones. Zone 1 IP: 20.20.100.100 Gateway: 20.20.254.254 Active ServerIron A SI-A 10.10.1.101 Port 4/1 External Router Ports 4/9 - 4/10 Ports 4/9 - 4/10 Sync Link Ports 4/11 - 4/12 Ports 4/11 - 4/12 Data Link SI-A Port 4/1 IP: 10.10.1.1 MAC: 00e0.5201.a17a IP: 10.10.1.2 MAC: 00e0.5207.
Configuring Multizone FWLB The following commands configure the synchronization link between this ServerIron and ServerIron Zone1-SI-B. For redundancy, the link is configured on a trunk group. Zone1-SI-A(config)# vlan 10 Zone1-SI-A(config-vlan-10)# untagged ethernet 4/9 to 4/10 Zone1-SI-A(config-vlan-10)# exit Zone1-SI-A(config)# trunk switch ethernet 4/9 to 4/10 Zone1-SI-A(config)# server fw-port 4/9 The following commands configure the data link connecting this ServerIron to its partner, Zone1-SI-B.
Firewall Load Balancing Guide Zone1-SI-A(config-tc-2)# fwall-info 6 4/11 10.10.3.111 10.10.1.2 Zone1-SI-A(config-tc-2)# exit Zone1-SI-A(config)# vlan 1 Zone1-SI-A(config-vlan-1)# static-mac-address 00e0.5201.a17a ethernet 4/1 priority 1 router-type Zone1-SI-A(config-vlan-1)# static-mac-address 00e0.5207.
Configuring Multizone FWLB Zone1-SI-A(config)# ip l4-policy 1 fw tcp 0 global Zone1-SI-A(config)# ip l4-policy 2 fw udp 0 global The following command saves the configuration changes to the startup-config file.
Firewall Load Balancing Guide Zone1-SI-S(config)# vlan 1 Zone1-SI-S(config-vlan-1)# static-mac-address 00e0.5201.a17a ethernet 4/11 priority 1 router-type Zone1-SI-S(config-vlan-1)# static-mac-address 00e0.5207.973c ethernet 4/1 priority 1 router-type Zone1-SI-S(config-vlan-1)# exit Zone1-SI-S(config-tc-2)# server fw-group 2 Zone1-SI-S(config-tc-2)# fw-predictor per-service-least-conn Zone1-SI-S(config-tc-2)# exit Zone1-SI-S(config)# access-list 2 permit 10.10.2.0 0.0.0.
Configuring Multizone FWLB Zone2-SI-A(config)# server partner-ports ethernet 4/11 Zone2-SI-A(config)# server partner-ports ethernet 4/12 Zone2-SI-A(config)# server fw-group 2 Zone2-SI-A(config-tc-2)# l2-fwall Zone2-SI-A(config-tc-2)# exit Zone2-SI-A(config)# server fw-name fw1 10.10.2.
Firewall Load Balancing Guide Commands on Zone 2’s Standby ServerIron (Zone2-SI-S) ServerIron> enable ServerIron# configure terminal ServerIron(config)# hostname Zone2-SI-S Zone2-SI-S(config)# vlan 1 Zone2-SI-S(config-vlan-1)# always-active Zone2-SI-S(config-vlan-1)# no spanning-tree Zone2-SI-S(config-vlan-1)# router-interface ve 1 Zone2-SI-S(config-vlan-1)# exit Zone2-SI-S(config)# interface ve 1 Zone2-SI-S(config-ve-1)# ip address 10.10.2.223 255.255.255.
Configuring Multizone FWLB Zone2-SI-S(config)# server group 2 Zone2-SI-S(config-tc-2)# fw-predictor per-service-least-conn Zone2-SI-S(config-tc-2)# exit Zone2-SI-S(config)# access-list 3 permit 10.10.3.0 0.0.0.255 Zone2-SI-S(config)# server fw-group 2 Zone2-SI-S(config-tc-2)# fwall-zone zone3 3 3 Zone2-SI-S(config-tc-2)# exit Zone2-SI-S(config)# server real-name rs1 10.10.2.40 Zone2-SI-S(config-rs-rs1)# port http Zone2-SI-S(config-rs-rs1)# exit Zone2-SI-S(config)# server real-name rs1 10.10.2.
Firewall Load Balancing Guide Zone3-SI-A(config-tc-2)# fwall-info 2 4/2 10.10.1.111 10.10.3.2 Zone3-SI-A(config-tc-2)# fwall-info 3 4/1 10.10.1.112 10.10.3.1 Zone3-SI-A(config-tc-2)# fwall-info 4 4/2 10.10.1.112 10.10.3.2 Zone3-SI-A(config-tc-2)# fwall-info 5 4/1 10.10.2.222 10.10.3.1 Zone3-SI-A(config-tc-2)# fwall-info 6 4/2 10.10.2.222 10.10.3.2 Zone3-SI-A(config-tc-2)# fwall-info 7 4/1 10.10.2.223 10.10.3.1 Zone3-SI-A(config-tc-2)# fwall-info 8 4/2 10.10.2.223 10.10.3.
Configuring Multizone FWLB Figure 6.5 Multizone FWLB with Multiple Sub-nets and Multiple Virtual Routing Interfaces Zone 1 IP: 20.20.100.100 Gateway: 20.20.254.254 Active ServerIron A 10.10.7.101 SI-A Port 4/1 External Router Ports 4/9 - 4/10 Ports 4/11 - 4/12 When undefined, Zone 1 contains all addresses not in the other zones. Ports 4/9 - 4/10 Sync Link Ports 4/11 - 4/12 Data Link SI-A Port 4/1 IP: 10.10.1.1 IP: 10.10.1.2 FW1 FW2 IP: 10.10.3.1 IP: 10.10.2.
Firewall Load Balancing Guide The following command configures a static route to the sub-net that contains the external host. Zone1-SI-A(config)# ip route 20.20.0.0 255.255.0.0 10.10.7.100 The following commands configure the synchronization link between this ServerIron and ServerIron Zone1-SI-B. For redundancy, the link is configured on a trunk group.
Configuring Multizone FWLB The following commands set the load balancing method to balance requests based on the firewall that has the least number of connections for the requested service. For example, the ServerIron will load balance HTTP requests based on the firewall that has fewer HTTP session entries in the ServerIron session table.
Firewall Load Balancing Guide Zone1-SI-S(config-vlan-2)# untagged ethernet 4/1 to 4/8 Zone1-SI-S(config-vlan-2)# router-interface ve 1 Zone1-SI-S(config-vlan-2)# exit Zone1-SI-S(config)# interface ve 1 Zone1-SI-S(config-ve-1)# ip address 10.10.1.112 255.255.255.
Configuring Multizone FWLB Zone1-SI-S(config-rs-web1)# port http Zone1-SI-S(config-rs-web1)# exit Zone1-SI-S(config)# server remote-name web2 10.10.8.42 Zone1-SI-S(config-rs-web2)# port http Zone1-SI-S(config-rs-web2)# exit Zone1-SI-S(config)# server remote-name web3 10.10.6.41 Zone1-SI-S(config-rs-web3)# port http Zone1-SI-S(config-rs-web3)# exit Zone1-SI-S(config)# server remote-name web4 10.10.6.
Firewall Load Balancing Guide Zone2-SI-A(config-tc-2)# l2-fwall Zone2-SI-A(config-tc-2)# exit Zone2-SI-A(config)# server fw-name fw1 10.10.2.1 Zone2-SI-A(config-rs-fw1)# port http Zone2-SI-A(config-rs-fw1)# port http no-health-check Zone2-SI-A(config-rs-fw1)# port ftp Zone2-SI-A(config-rs-fw1)# port ftp no-health-check Zone2-SI-A(config-rs-fw1)# port snmp Zone2-SI-A(config-rs-fw1)# port snmp no-health-check Zone2-SI-A(config-rs-fw1)# exit Zone2-SI-A(config)# server fw-name fw2 10.10.2.
Configuring Multizone FWLB Zone1-SI-S(config)# vlan 2 Zone1-SI-S(config-vlan-2)# always-active Zone1-SI-S(config-vlan-2)# tagged ethernet 4/11 to 4/12 Zone1-SI-S(config-vlan-2)# untagged ethernet 4/1 to 4/8 Zone1-SI-S(config-vlan-2)# router-interface ve 1 Zone1-SI-S(config-vlan-2)# exit Zone1-SI-S(config)# interface ve 1 Zone1-SI-S(config-ve-1)# ip address 10.10.2.223 255.255.255.
Firewall Load Balancing Guide Zone2-SI-S(config-tc-2)# exit Zone2-SI-S(config)# access-list 3 permit 10.10.3.0 0.0.0.255 Zone2-SI-S(config)# access-list 3 permit 10.10.6.0 0.0.0.255 Zone2-SI-S(config)# server fw-group 2 Zone2-SI-S(config-tc-2)# fwall-zone zone3 3 3 Zone2-SI-S(config-tc-2)# exit Zone2-SI-S(config)# server real-name rs1 10.10.8.40 Zone2-SI-S(config-rs-rs1)# port http Zone2-SI-S(config-rs-rs1)# exit Zone2-SI-S(config)# server real-name rs1 10.10.8.
Configuring Multizone FWLB Zone3-SI-A(config)# server fw-group 2 Zone3-SI-A(config-tc-2)# fw-name fw1 Zone3-SI-A(config-tc-2)# fw-name fw2 Zone3-SI-A(config-tc-2)# fwall-info 1 4/1 10.10.1.111 10.10.3.1 Zone3-SI-A(config-tc-2)# fwall-info 2 4/2 10.10.1.111 10.10.3.2 Zone3-SI-A(config-tc-2)# fwall-info 3 4/1 10.10.1.112 10.10.3.1 Zone3-SI-A(config-tc-2)# fwall-info 4 4/2 10.10.1.112 10.10.3.2 Zone3-SI-A(config-tc-2)# fwall-info 5 4/1 10.10.2.222 10.10.3.1 Zone3-SI-A(config-tc-2)# fwall-info 6 4/2 10.10.2.
Firewall Load Balancing Guide 6 - 38 © 2012 Brocade Communications Systems, Inc.
Chapter 7 Configuring FWLB for NAT Firewalls Some Layer 3 firewalls perform network address translation (NAT). These firewalls translate private addresses on the private side of the network into public (Internet) addresses on the public side of the network. NOTE: The configuration steps for firewalls that perform NAT are identical to the steps for basic and IronClad FWLB without NAT, with just one additional step. The additional step disables load balancing for the NAT addresses.
Firewall Load Balancing Guide NOTE: The configuration steps for firewalls that perform NAT are identical to the steps for basic and IronClad FWLB without NAT, with just one additional step. The additional step disables load balancing for the NAT addresses. See “Preventing Load Balancing of the NAT Addresses” on page 7-5. Figure 7.1 FWLB for Layer 3 firewalls performing NAT—basic configuration Internet WAN Router 209.157.23.106/24 SI-A Port e1 Port e2 209.157.23.109/24 209.157.23.108/24 NAT: 209.
Configuring FWLB for NAT Firewalls NOTE: The user interface allows you to enable FWLB locally instead of globally. However, local policies are not applicable to FWLB. Enable the feature globally. To enable FWLB globally, use the following method.
Firewall Load Balancing Guide Command Syntax Syntax: [no] server fw-name NOTE: When you add a firewall name, the CLI level changes to the Firewall level. This level is used when you are configuring stateful FWLB. Syntax: server fw-group 2 This command changes the CLI to firewall group configuration level. The firewall group number is 2. Only one firewall group is supported. Syntax: [no] fw-name Adds a configured firewall to the firewall group.
Configuring FWLB for NAT Firewalls router-type Commands for ServerIron B (Internal) ServerIron-B(config)# server fw-group 2 ServerIron-B(config-tc-2)# fwall-info 1 1 209.157.23.106 10.10.10.10 ServerIron-B(config-tc-2)# fwall-info 2 2 209.157.23.106 10.10.10.11 ServerIron-B(config-tc-2)# exit ServerIron-B(config)# static-mac-address abcd.da68.6655 ethernet 1 high-priority router-type ServerIron-B(config)# static-mac-address abcd.da68.
Firewall Load Balancing Guide USING THE CLI Use either of the following methods to disable load balancing for the NAT addresses. Extra Firewall Method To disable load balancing for the NAT addresses by adding firewalls for the addresses, enter commands such as the following. NOTE: Do not configure paths for the firewalls. ServerIron-A(config)# server fw-name fw3NAT 209.157.23.107 ServerIron-A(config-rs-fw3NAT)# exit ServerIron-A(config)# server fw-name fw4NAT 209.157.23.
Configuring FWLB for NAT Firewalls ServerIron-A(config)# server fw-name fw1 209.157.23.108 ServerIron-A(config-rs-fw1)# exit ServerIron-A(config)# server fw-name fw2 209.157.23.109 ServerIron-A(config-rs-fw2)# exit The following two commands add firewall entries for the hidden NAT addresses. These entries prevent the ServerIron from load balancing the firewall traffic to these addresses.
Firewall Load Balancing Guide NOTE: The third policy, which permits all traffic, is required because once you define an access policy, the default action for packets that do not match a policy is to deny them. Thus, if you configure only the first two policies and not the third one, you actually disable load balancing altogether by denying the load balancing for all packets. The other commands are the same as in the previous section.
Configuring FWLB for NAT Firewalls Figure 7.2 FWLB for Layer 3 firewalls performing NAT—IronClad configuration Internet External Router 192.168.1.1/24 192.168.2.1/24 Port e8 Port e8 SI-A SI-A Active ServerIron A 192.168.1.10/24 Port e1 Port e2 Port e1 192.168.1.2/24 Port e2 FW2 4.4.4.10.24 3.3.3.10/24 Standby ServerIron B 3.3.3.20/24 2.2.2.10 192.168.2.3/24 192.168.2.2/24 192.168.1.3/24 FW1 SI-A Standby ServerIron A Port e1 3.3.3.11/24 4.4.4.11.
Firewall Load Balancing Guide Enabling FWLB To enable FWLB, you configure global IP policies. FWLB for TCP and UDP is controlled independently, so you need to configure a separate global IP policy for each type of traffic. When you enable FWLB for TCP or UDP globally, all ports that are in the firewall group are enabled for FWLB. All ServerIron ports are in firewall group 2 by default. Thus, if you enable FWLB globally, it affects all physical ports unless you remove ports from firewall groups.
Configuring FWLB for NAT Firewalls Defining the Firewalls and Adding them to the Firewall Group When FWLB is enabled, all the ServerIron ports are in firewall group 2 by default. However, you need to add an entry for each firewall. To add an entry for a firewall, specify the firewall name and IP address. You can specify a name up to 32 characters long. After you add the firewall entries, add the firewalls to the firewall group. To define the firewalls shown in Figure 7.
Firewall Load Balancing Guide This command changes the CLI to firewall group configuration level. The firewall group number is 2. Only one firewall group is supported. Syntax: [no] fw-name Adds a configured firewall to the firewall group. Configuring Paths and Adding Static MAC Entries for Layer 3 Firewalls A path is configuration information the ServerIron uses to ensure that a given source and destination IP pair is always authenticated by the same Layer 3 firewall.
Configuring FWLB for NAT Firewalls Commands for Standby ServerIron A (External Standby) SI-StandbyA(config)# server fw-group 2 SI-StandbyA(config-tc-2)# fwall-info 1 1 3.3.3.20 192.168.2.2 SI-StandbyA(config-tc-2)# fwall-info 2 2 3.3.3.20 192.168.2.3 SI-StandbyA(config-tc-2)# fwall-info 3 1 4.4.4.20 192.168.2.2 SI-StandbyA(config-tc-2)# fwall-info 4 2 4.4.4.20 192.168.2.3 SI-StandbyA(config-tc-2)# fwall-info 5 8 192.168.2.1 192.168.2.
Firewall Load Balancing Guide NOTE: The static MAC entries are required. You must add a static MAC entry for each firewall interface with the ServerIron. In addition, you must use the high-priority and router-type parameters with the static-mac-address command. These parameters enable the ServerIron to use the address for FWLB. NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default portbased VLAN (VLAN 1).
Configuring FWLB for NAT Firewalls Preventing Load Balancing of the NAT Addresses When you configure ServerIrons for load balancing traffic across NAT firewalls, you must disable load balancing on the NAT addresses themselves. You can use either of the following methods to do so. Each method is equally valid and only one of the methods is required. You need to use one of these methods only on the ServerIron connected to the external network, not the ServerIron on the internal side of the network.
Firewall Load Balancing Guide To prevent the ServerIron from load balancing the NAT addresses, you can use either of the following methods. Each method is equally valid and only one of the methods is required. You need to use one of these methods only on the ServerIron connected to the external network, not the ServerIron on the internal side of the network. • Configure the NAT addresses as firewall addresses, but do not configure paths for the addresses.
Configuring FWLB for NAT Firewalls ServerIron-A(config-rs-fw4NAT)# exit The following commands configure the firewall group. The server fw-group 2 command changes the focus of the CLI to firewall group 2. The sym-priority command specifies the priority of this ServerIron with respect to the other ServerIron for the firewalls in the firewall group. The priority can be from 0 – 255. The ServerIron with the higher priority is the default active ServerIron for the firewalls within the group.
Firewall Load Balancing Guide SI-ActiveA(config)# ip policy 1 fw tcp 0 global SI-ActiveA(config)# ip policy 2 fw udp 0 global SI-ActiveA(config)# write memory Alternative Configuration for Active ServerIron A The example above configures FWLB for NAT firewalls by adding firewall definitions for the IP addresses the NAT service on the firewalls uses for traffic sent from a client inside the firewalls to a destination outside the firewalls.
Configuring FWLB for NAT Firewalls Alternative Configuration for Standby ServerIron A The example above configures FWLB for NAT firewalls by adding firewall definitions for the IP addresses the NAT service on the firewalls uses for traffic sent from a client inside the firewalls to a destination outside the firewalls. Alternatively, you can configure IP access policies that deny load balancing for the NAT addresses. For the example in Figure 7.
Firewall Load Balancing Guide 7 - 20 © 2012 Brocade Communications Systems, Inc.
Chapter 8 Configuring FWLB and SLB NOTE: This chapter shows basic FWLB configurations with Layer 3 firewalls. Currently, these are the configurations supported by the ServerIron. If you need to perform concurrent SLB and FWLB in a different type of FWLB configuration, contact Brocade Communications Systems. You can configure the ServerIron to concurrently perform FWLB and SLB at the same time.
Firewall Load Balancing Guide Figure 8.1 shows an example of an SLB-to-FWLB configuration. Figure 8.1 SLB-to-FWLB configuration Internet WAN Router SLB Configuration 192.168.1.100 SI-A Port e3 FW-1 FW1-IPin 192.168.1.30 MAC: abcd.4321.34e0 Port e5 FW2-IPin 192.168.1.40 MAC: abcd.4321.34e1 FW1-IPout 192.168.2.30 MAC: abcd.4321.34e2 - Real Servers 192.168.2.50 and 192.168.2.60 - Real Servers are defined as remote - Virtual Server 192.168.1.
Configuring FWLB and SLB Figure 8.2 shows an example of an SLB-to-FWLB configuration. Figure 8.2 FWLB-to-SLB configuration Internet WAN Router 192.168.1.100 SI-A Port e3 FW-1 Port e5 FW1-IPin 192.168.1.30 MAC: abcd.4321.34e0 FW2-IPin 192.168.1.40 MAC: abcd.4321.34e1 FW1-IPout 192.168.2.30 MAC: abcd.4321.34e2 FW-2 SLB Configuration - Real Servers 192.168.2.50 and 192.168.2.60 - Real Servers can be defined as local because proxy ARP is enabled on the Internal Router - Virtual Server 192.168.2.
Firewall Load Balancing Guide The tasks under the first item (Configure SLB parameters on the Internet ServerIron) are described in the following sections. The remaining tasks are identical to the tasks for configuring basic FWLB for Layer 3 firewalls. For more information about these tasks, see “Configuring Basic Layer 3 FWLB” on page 4-1. Configuring the SLB Parameters In an SLB-to-FWLB configuration, all SLB configuration takes place on the Internet ServerIron.
Configuring FWLB and SLB Binding the Real Server to the Virtual Server To bind the real servers to the virtual server, enter the following commands on the Internet ServerIron (ServerIron A). Notice that the port binding takes place on the Virtual Server configuration level. USING THE CLI ServerIronA(config)# server virtual www.brocade.com ServerIronA(config-vs-www.brocade.com)# bind http RS1 http ServerIronA(config-vs-www.brocade.com)# bind http RS2 http ServerIronA(config-vs-www.brocade.
Firewall Load Balancing Guide ServerIronA(config)# server fw-name FW1-IPin 192.168.1.30 ServerIronA(config-rs-FW1-IPin)# exit ServerIronA(config)# server fw-name FW2-IPin 192.168.1.40 ServerIronA(config-rs-FW2-IPin)# exit The following commands configure parameters for firewall group 2. The fwall-info commands configure the paths for the firewall traffic.
Configuring FWLB and SLB ServerIronB(config-tc-2)# fwall-info 2 2 192.168.1.100 192.168.2.40 ServerIronB(config-tc-2)# exit ServerIronB(config)# static-mac-address abcd.4321.34e2 ethernet 1 high-priority router-type ServerIronB(config)# static-mac-address abcd.4321.
Firewall Load Balancing Guide Configuring the Real Servers To configure the real servers shown in Figure 8.2 on page 8-3, enter the following commands on the internal ServerIron (ServerIron B). NOTE: In FWLB-to-SLB configurations, you must define the real servers as remote servers unless Proxy ARP is enabled on the internal router. USING THE CLI ServerIronB(config)# server real-name RS1 192.168.2.
Configuring FWLB and SLB ServerIronB(config)# server fw-slb Syntax: [no] server fw-slb Configuration Example for FWLB-to-SLB The following sections show all the ServerIron commands you would enter on each ServerIron to implement the FWLB-to-SLB configuration shown in Figure 8.2 on page 8-3. Commands on ServerIron A (External) The following commands change the ServerIron’s host name to “ServerIronA", configure the ServerIron’s management IP address, and specify the default gateway.
Firewall Load Balancing Guide The value “0” is equivalent to “any” and means the ServerIron should perform FWLB for all TCP traffic. The second ip policy command enables FWLB for all UDP traffic. ServerIronA(config)# ip policy 1 fw tcp 0 global ServerIronA(config)# ip policy 2 fw udp 0 global ServerIronA(config)# write memory Commands on ServerIron B (Internal) Enter the following commands to configure SLB.
Configuring FWLB and SLB ServerIronB(config)# ip policy 2 fw udp 0 global ServerIronB(config)# write memory From HA Chapter Active-Active FWLB – with External SLB (FWLB-to-SLB) The software supports two types of FWLB with SLB configurations. Your choice of implementation depends on which pair of ServerIrons you want to use for the SLB configuration. Use SLB-to-FWLB is you want to place the SLB configuration on the external ServerIrons.
Firewall Load Balancing Guide Figure 8.3 Active-Active FWLB with SLB Client ServerIron SI-Ext-A 10.10.1.111 Client Synchronization Link Trunk Ports 3/5 - 3/6 SI-A Trunk Ports 3/5 - 3/6 Port 3/1 Port 3/1 Additional Data Link Port 4/1 SI-B Port 4/1 IP: 10.10.1.1 MAC: 00e0.5201.0426 IP: 10.10.1.2 MAC: 00e0.5201.2180 Firewall-2 Firewall-1 IP: 10.10.2.1 MAC: 00e0.5201.042e Synchronization Link Port 4/1 ServerIron SI-Int-A 10.10.2.222 ServerIron SI-Ext-B 10.10.1.
Configuring FWLB and SLB server fw-port command identifies the port number the link is on. If the link is a trunk group, you must specify the MAC address of the group’s primary port. SI-Ext-A(config)# trunk switch ethernet 3/5 to 3/6 SI-Ext-A(config)# vlan 10 SI-Ext-A(config-vlan-10)# untagged ethernet 3/5 to 3/6 SI-Ext-A(config-vlan-10)# exit SI-Ext-A(config)# server fw-port 3/5 The following command configures the data link between this ServerIron and its active-active partner.
Firewall Load Balancing Guide The following command sets the load balancing method to balance requests based on the firewall that has the least number of connections for the requested service. Since the firewall definitions above specify the HTTP service, the ServerIron will load balance requests based on the firewall that has fewer HTTP session entries in the ServerIron session table.
Configuring FWLB and SLB SI-Ext-A(config)# ip l4-policy 1 fw tcp 0 global SI-Ext-A(config)# ip l4-policy 2 fw udp 0 global The following command saves the configuration changes to the startup-config file. SI-Ext-A(config)# write memory Commands on External ServerIron B (SI-Ext-B) Here are the commands for configuring SI-Ext-B in Figure 8.3 on page 8-12. The SLB configuration is identical to the one on SI-Ext-A.
Firewall Load Balancing Guide SI-Ext-B(config-rs-web3)# server remote-name web4 10.10.2.43 SI-Ext-B(config-rs-web4)# port http SI-Ext-B(config-rs-web4)# server virtual webby 10.10.1.
Configuring FWLB and SLB Commands on Internal ServerIron B (SI-Int-B) ServerIron> enable ServerIron# configure terminal ServerIron(config)# hostname SI-Int-B SI-Int-B(config)# vlan 1 SI-Int-B(config-vlan-1)# always-active SI-Int-B(config-vlan-1)# no spanning-tree SI-Int-B(config-vlan-1)# router-interface ve 1 SI-Int-B(config-vlan-1)# exit SI-Int-B(config)# interface ve 1 SI-Int-B(config-ve-1)# ip address 10.10.2.223 255.255.255.0 SI-Int-B(config-ve-1)# exit SI-Int-B(config)# ip route 0.0.0.0 0.0.0.0 10.10.
Firewall Load Balancing Guide 8 - 18 © 2012 Brocade Communications Systems, Inc.
Chapter 9 Viewing FWLB Configuration Details and Statistics You can view the following FWLB configuration details and statistics: • Firewall group information – Displays the firewall configuration, the status of each firewall, and traffic statistics for traffic between each firewall and the ServerIron. • Firewall path information – Shows the synchronization paths configured for the firewall. NOTE: The information is shown from this ServerIron’s perspective.
Firewall Load Balancing Guide • 2 – Failed • 3 – Testing • 4 – Suspect • 6 – Active NOTE: Status 5 (Graceful Shutdown) does not apply to firewalls. • The Hash-distribution field shows how many hash values are assigned to the server. This information is relevant only when no path information is configured for the firewall group. If the group is using paths, the hash-distribution value is always 0.
Viewing FWLB Configuration Details and Statistics basic stateful FWLB configuration. In this example, HTTP traffic and Telnet traffic are explicitly associated with fw1 and fw2. ServerIronA(config)# show fw-group Firewall-group 2 has 2 members Admin-status = Enabled Active = 0 Hash_info: Dest_mask = 255.255.255.255 Src_mask = 255.255.255.
Firewall Load Balancing Guide The example above is for the external ServerIron (ServerIron A). The following example shows statistics for the internal ServerIron (ServerIron B). ServerIronB(config)# show fw-group Firewall-group 2 has 2 members Admin-status = Enabled Active = 0 Hash_info: Dest_mask = 255.255.255.255 Src_mask = 255.255.255.255 Firewall Server Name fw1-IPout fw2-IPout Admin-status Hash-distribution 6 0 6 0 Traffic From<->to Firewall Servers Name: fw1-IPout IP: 209.157.23.
Viewing FWLB Configuration Details and Statistics USING THE CLI To display path information for FWLB, enter the following command at any level of the CLI: ServerIron(config)# show server fw-path Firewall Server Path Info Number of Fwall = 4 Target-ip 3.3.3.10 3.3.3.10 4.4.4.10 4.4.4.10 Next-hop-ip 1.1.1.3 1.1.1.4 1.1.1.3 1.1.1.
Firewall Load Balancing Guide Table 9.1: FWLB Path Information (Continued) This Field... Displays... Rx Indicates the state of the receive side of the path. The state can be one of the following: State • 0 – The receive side is down. • 1 – The receive side is up. The state of the other end of the path. The state can be one of the following: • 3 – The ServerIron at the other end of the path is in standby mode for the firewall group.
Viewing FWLB Configuration Details and Statistics Table 9.1: FWLB Path Information (Continued) This Field... Displays... State information for IronClad FWLB The Current, Local, and Partner columns show the following: • Current shows the immediate state information. • Local shows the normalized state information. When the current state remains unchanged for three seconds, the current state value becomes the local state value. Local state information is used to compute the active-standby status.
Firewall Load Balancing Guide Process for Load Balancing By default, FWLB uses a hashing algorithm to select a firewall for a packet based on the packet’s source and destination IP address. Optionally, you can configure the ServerIron to also hash based on source and destination TCP or UDP application ports.
Chapter 10 Configuring FWLB for Layer 2 Firewalls The steps for configuring IronClad FWLB for Layer 2 firewalls are similar to those for configuring Layer 3 FWLB for static routes. In addition to the basic FWLB configurations steps, perform the following steps: • On each ServerIron, configure all the ports connected to all the firewalls as a trunk group. • Disable the Spanning Tree Protocol (STP). STP is enabled by default on the ServerIron. • Disable Layer 2 traffic on the standby ServerIrons.
Firewall Load Balancing Guide The default gateway for each ServerIron is its local router interface. Figure 10.1 IronClad Layer 2 FWLB configuration Internet Router This router has the following static route: Network Gateway --------------------200.200.200.0/24 1.1.1.2 200.200.201.1/24 Port e3 Port e1 Active ServerIron-A 1.1.1.10/24 Port e2 1.1.1.
Configuring FWLB for Layer 2 Firewalls Table 10.1: Configuration tasks – IronClad FWLB for Layer 2 firewalls(Continued) Task See page...
Firewall Load Balancing Guide If the link between the two ServerIrons is a trunk group (recommended for added redundancy), specify the port number of the primary port. The primary port is the first port in the trunk group. Specifying the Router Ports IronClad FWLB configurations require paths to the routers as part of the active-standby configuration for the ServerIrons. You need to identify the ports on the ServerIron that are attached to the router(s).
Configuring FWLB for Layer 2 Firewalls Commands for Standby ServerIron A (External Standby) SI-StandbyA(config)# server fw-name 01fw1 1.1.1.100 SI-StandbyA(config-rs-01fw1)# exit SI-StandbyA(config)# server fw-name 02fw2 1.1.1.101 SI-StandbyA(config-rs-02fw2)# exit SI-StandbyA(config)# server fw-group 2 SI-StandbyA(config-tc-2)# fw-name 01fw1 SI-StandbyA(config-tc-2)# fw-name 02fw2 Commands for Active ServerIron B (Internal Active) SI-ActiveB(config)# server fw-name 01fw1 1.1.1.
Firewall Load Balancing Guide Firewalls A path is configuration information the ServerIron uses to ensure that a given source and destination IP pair is always authenticated by the same Layer 2 firewall. Each path consists of the following parameters: • The path ID – A number that identifies the path. In basic FWLB configurations, the paths go from one ServerIron to the other through the firewalls.
Configuring FWLB for Layer 2 Firewalls SI-StandbyA(config)# static-mac-address 00e0.5202.e282 ethernet 2 high-priority router-type Commands for Active ServerIron B (Internal Active) SI-ActiveB(config)# server fw-group 2 SI-ActiveB(config-tc-2)# fwall-info 1 1 1.1.1.10 1.1.1.10 SI-ActiveB(config-tc-2)# fwall-info 2 2 1.1.1.20 1.1.1.20 SI-ActiveB(config-tc-2)# fwall-info 3 1 1.1.1.10 1.1.1.10 SI-ActiveB(config-tc-2)# fwall-info 4 2 1.1.1.20 1.1.1.20 SI-ActiveB(config-tc-2)# fwall-info 5 9 1.1.1.2 1.1.1.
Firewall Load Balancing Guide NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default portbased VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the entry applies to that VLAN and not to the default VLAN. Configuring the ServerIron Priority If you are configuring the ServerIron for IronClad FWLB, you need to specify the priority for the firewalls within the firewall group.
Configuring FWLB for Layer 2 Firewalls NOTE: The user interface allows you to enable FWLB locally instead of globally. However, local policies are not applicable to FWLB. Enable the feature globally. To enable FWLB globally, use the following method.
Firewall Load Balancing Guide The server fw-port command identifies the port that connects this ServerIron to its partner. If you configure a trunk group for the link between the two partners, specify the first port (the primary port for the group) in the trunk group. On the 8-port, 16-port, and 24-port ServerIrons, you can configure a trunk group with two or four members and the primary ports are the odd-numbered ports.
Configuring FWLB for Layer 2 Firewalls SI-ActiveA(config-tc-2)# fwall-info 4 2 1.1.1.40 1.1.1.40 SI-ActiveA(config-tc-2)# fwall-info 5 9 1.1.1.1 1.1.1.1 SI-ActiveA(config-tc-2)# exit The commands below add static entries to the ServerIron’s MAC table for the firewall interfaces. The high-priority and fixed-host parameters are required. NOTE: Use the fixed-host parameter only for Layer 2 firewall configurations such as the one in this example.
Firewall Load Balancing Guide SI-StandbyA(config-vlan-1)# static-mac-address 00e0.5200.3489 ethernet 1 highpriority fixed-host SI-StandbyA(config-vlan-1)# static-mac-address 00e0.5202.e282 ethernet 2 highpriority fixed-host SI-StandbyA(config-vlan-1)# exit SI-StandbyA(config)# ip policy 1 fw tcp 0 global SI-StandbyA(config)# ip policy 2 fw udp 0 global SI-StandbyA(config)# write memory Commands on Active ServerIron B (Internal Active) SI-ActiveB(config)# ip address 1.1.1.
Configuring FWLB for Layer 2 Firewalls SI-StandbyB(config)# server fw-group 2 SI-StandbyB(config-tc-2)# l2-fwall SI-StandbyB(config-tc-2)# exit SI-StandbyB(config)# server fw-name 01fw1 1.1.1.100 SI-StandbyB(config-rs-01fw1)# exit SI-StandbyB(config)# server fw-name 02fw2 1.1.1.
Firewall Load Balancing Guide 10 - 14 © 2012 Brocade Communications Systems, Inc.
Appendix A Additional Firewall Configurations This appendix describes how to configure the following additional firewall configurations: • “Configuring FWLB for Firewalls with Active-Standby NICs” on page A-1 • “Customizing Path Health Checks” on page A-4 • “FWLB Selection Algorithms” on page A-6 Configuring FWLB for Firewalls with Active-Standby NICs Some firewalls provide reliability through link redundancy. For example, some firewalls can have two NICs on each sub-net. One of the NICs is active.
Firewall Load Balancing Guide Figure 10.2 FWLB Configuration Using Always-Active with Active-Standby Firewall Interfaces BigIron BigIron-A BigIron 121.212.247.225 121.212.247.230 Additional data link Synchronization link Port 1 Port 1 ServerIron SI-Ext-A 121.212.247.228 Link Activi ty Link Act ivit y Link Activi ty Console ServerIron SI-Ext-S 121.212.247.229 Link Act ivit y Console Power Power Port 3 Default gateway: 121.212.247.
Additional Firewall Configurations If the firewall link goes down and the NIC fails over to the other connection, the ServerIron learns the new port for the MAC address. Generally, this occurs when the NIC sends a gratuitous ARP to advertise the new MAC address. The ServerIron learns that the link has failed when the firewall path health check fails. The path health check consists of an IP ping to the next-hop IP address of the path.
Firewall Load Balancing Guide Configure the following command, to prevent this condition: ServerIron# server fw-allow-dynamic-port-change This command allows the firewall path health checks to be sent to the correct port where the firewall ARP is learnt and update the firewall path accordingly to reflect the new interface where the firewall can now be reached. NOTE: For the complete CLI example, see....
Additional Firewall Configurations Enabling Layer 4 Path Health Checks for FWLB By default, the ServerIron performs Layer 3 health checks of firewall paths, but does not perform Layer 4 health checks of the paths. You can configure the ServerIrons in an FWLB configuration to use Layer 4 health checks instead of Layer 3 health checks for firewall paths. When you configure a Layer 4 health check, the Layer 3 (ICMP) health check, which is used by default, is disabled.
Firewall Load Balancing Guide FWLB Selection Algorithms This appendix describes selection algorithms for FWLB. This appendix contains the following sections: • Least Connections • Least Connections per Application • Hashing NOTE: If hash-port is configured, hashing includes both source-port and destination-port.
Additional Firewall Configurations The parameter specifies the starting port number in the range. Specify the port number at the lower end of the range. The parameter specifies the ending port number in the range. Specify the port number at the higher end of the range. Overriding the Global Hash Values By default, the ServerIron uses the hash mask you configure for the firewall group for all hash-based load balancing of firewall traffic.
Firewall Load Balancing Guide The result is that fwall1 gets 7/24 of the current number of connections, fwall2 gets 8/24, server3 gets 2/24, and so on. If a new firewall, fwall6, is added with a weight of 10, the new firewall gets 10/34. If you set the weight so that your fastest firewall gets 50 percent of the connections, it will get 50 percent of the connections at a given time.
Additional Firewall Configurations Figure A.1 FWLB Denied for Application Traffic Internet Firewall FW1 receives all HTTP traffic. WAN Access Router Contains default route that uses 209.157.22.3 (FW1) as the next-hop gateway. LAN Router IP: 209.157.22.3 MAC: abcd.4321.34e0 Port e3 ServerIron A 209.157.22.2 Port e5 IP: 209.157.23.1 MAC: abcd.4321.34e2 Firewall FW1 Firewall FW2 Contains default route that uses 209.157.23.1 (FW1) as the next-hop gateway. Port e1 Port e2 ServerIron B 209.157.23.
Firewall Load Balancing Guide disable FWLB for HTTP traffic. To disable FWLB for an application, configure an extended ACL at the firewall group configuration level. NOTE: When you configure an ACL at the firewall group configuration level, a deny action does not cause the ServerIron to drop the denied packet. In this type of configuration, a deny action denies FWLB service for the packet, so that the ServerIron leaves the destination MAC address of the packet unchanged.
Additional Firewall Configurations ServerIron B Commands ServerIronB(config)# ip policy 1 fw tcp 0 global ServerIronB(config)# ip policy 2 fw udp 0 global ServerIronB(config)# access-list 101 deny tcp any eq http any ServerIronB(config)# access-list 101 permit tcp any any ServerIronB(config)# access-list 101 permit udp any any ServerIronB(config)# server fw-group 2 ServerIronB(config-tc-2)# acl-id 101 These commands are the same as the commands on ServerIron A, except the first ACL entry matches on TCP por
Firewall Load Balancing Guide A - 12 © 2012 Brocade Communications Systems, Inc.
