Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
101102103104105106107108109110
Firewall Load Balancing Guide
7 - 6 © 2012 Brocade Communications Systems, Inc. May 31, 2012
USING THE CLI
Use either of the following methods to disable load balancing for the NAT addresses.
Extra Firewall Method
To disable load balancing for the NAT addresses by adding firewalls for the addresses, enter commands such as
the following.
NOTE: Do not configure paths for the firewalls.
ServerIron-A(config)# server fw-name fw3NAT 209.157.23.107
ServerIron-A(config-rs-fw3NAT)# exit
ServerIron-A(config)# server fw-name fw4NAT 209.157.23.110
ServerIron-A(config-rs-fw4NAT)# exit
Access Policy Method
To disable load balancing for the NAT addresses using IP access policies, enter commands such as the following.
ServerIron-A(config)# ip filter 1 deny any 209.157.23.110 255.255.255.255
ServerIron-A(config)# ip filter 2 deny any 209.157.23.107 255.255.255.255
ServerIron-A(config)# ip filter 1024 permit any any
The first two commands configure policies to deny load balancing for the two NAT addresses. The third command
allows all other traffic to be load balanced.
NOTE: The third policy, which permits all traffic, is required because once you define an access policy, the
default action for packets that do not match a policy is to deny them. Thus, if you configure only the first two
policies and not the third one, you actually disable load balancing altogether by denying the load balancing for all
packets.
Configuration Example for FWLB with Layer 3 NAT
Firewalls
This section shows the CLI commands for implementing the configuration shown in Figure 7.1. Note that the
configuration steps are similar to those required for the basic configuration shown in Figure 3.2 on page 3-7. The
only additional step required is to ensure that the ServerIron connected to the external network does not load
balance return traffic to the addresses the firewalls use for NAT. For example, ServerIron A in Figure 7.1 must be
configured so that it does not load balance return traffic to 209.157.23.107/24 or 209.157.23.110/24.
CLI Commands on ServerIron A (External)
The following commands configure ServerIron-A in Figure 7.1 for FWLB.
The hostname command changes the host name of the device to match the name used in Figure 7.1. The ip
address and ip default-gateway commands configure the device’s management IP address and its default
gateway.
The no span command disables the Spanning Tree Protocol (STP) on the ServerIron.
ServerIron(config)# hostname ServerIron-A
ServerIron-A(config)# ip address 209.157.23.106 255.255.255.0
ServerIron-A(config)# ip default-gateway 209.157.23.108
ServerIron-A(config)# no span
The following two commands add the firewalls. The IP addresses are the firewalls’ interfaces with the ServerIron.