Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
101102103104105106107108109110
Configuring FWLB for NAT Firewalls
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 7 - 5
router-type
Commands for ServerIron B (Internal)
ServerIron-B(config)# server fw-group 2
ServerIron-B(config-tc-2)# fwall-info 1 1 209.157.23.106 10.10.10.10
ServerIron-B(config-tc-2)# fwall-info 2 2 209.157.23.106 10.10.10.11
ServerIron-B(config-tc-2)# exit
ServerIron-B(config)# static-mac-address abcd.da68.6655 ethernet 1 high-priority
router-type
ServerIron-B(config)# static-mac-address abcd.da68.6104 ethernet 2 high-priority
router-type
Command Syntax
Syntax: server fw-group 2
Syntax: [no] fwall-info <path-num> <portnum> <other-ServerIron-ip> <next-hop-ip>
The syntax for adding static MAC entries differs depending on whether you are using a stackable or chassis
ServerIron.
Syntax for chassis devices:
Syntax: [no] static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]
Syntax for stackable devices:
Syntax: static-mac-address <mac-addr> ethernet <portnum> [to <portnum> ethernet <portnum>]
[normal-priority | high-priority] [host-type | router-type | fixed-host]
The priority can be 0 – 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or high-priority
for stackable devices.
The defaults are host-type and 0 or normal-priority.
NOTE: The static MAC entries are required. You must add a static MAC entry for each firewall interface with the
ServerIron. In addition, you must use the high-priority and router-type parameters with the static-mac-address
command. These parameters enable the ServerIron to use the address for FWLB.
NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-
based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the
entry applies to that VLAN and not to the default VLAN.
Preventing Load Balancing of the NAT Addresses
When you configure ServerIrons for load balancing traffic across NAT firewalls, you must disable load balancing
on the NAT addresses themselves. You can use either of the following methods to do so. Each method is equally
valid and only one of the methods is required. You need to use one of these methods only on the ServerIron
connected to the external network, not the ServerIron on the internal side of the network.
Configure the NAT addresses as firewall addresses, but do not configure paths for the addresses. (This is
shown below in the "Extra Firewall Method" section.)
Configure IP access policies (filters) to deny load balancing for traffic addressed to the NAT addresses. (This
is shown below in the "Access Policy Method" section.)
NOTE: In FWLB configurations, the IP policies do not block traffic altogether. They deny load balancing for
the traffic. Thus, the ServerIron does not load balance packets addressed to the NAT addresses, but instead
sends the traffic only to the firewall that originally sent the traffic.