Technical data
Configuring FWLB for NAT Firewalls
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 7 - 7
ServerIron-A(config)# server fw-name fw1 209.157.23.108
ServerIron-A(config-rs-fw1)# exit
ServerIron-A(config)# server fw-name fw2 209.157.23.109
ServerIron-A(config-rs-fw2)# exit
The following two commands add firewall entries for the hidden NAT addresses. These entries prevent the
ServerIron from load balancing the firewall traffic to these addresses. The ServerIron forwards a return packet
addressed to one of these firewalls directly to the firewall that sent it, instead of using the hash mechanism to
select a path for the traffic.
ServerIron-A(config)# server fw-name fw3NAT 209.157.23.107
ServerIron-A(config-rs-fw3NAT)# exit
ServerIron-A(config)# server fw-name fw4NAT 209.157.23.110
ServerIron-A(config-rs-fw4NAT)# exit
The following commands configure the firewall group parameters. The first commands change the CLI to the
firewall group configuration level. The fw-name commands add the firewalls. Notice that the firewall definitions
created above for the two NAT addresses are not added.
The fwall-info commands add paths from this ServerIron to the other one through the firewalls. Notice that no
paths are configured for the firewall definitions created for the NAT addresses.
The fw-name <firewall-name> command adds the firewalls to the firewall group.
ServerIron-A(config)# server fw-group 2
ServerIron-A(config-tc-2)# fw-name fw1
ServerIron-A(config-tc-2)# fw-name fw2
ServerIron-A(config-tc-2)# fwall-info 1 1 10.10.10.30 209.157.23.108
ServerIron-A(config-tc-2)# fwall-info 2 2 10.10.10.30 209.157.23.109
ServerIron-A(config-tc-2)# exit
The following commands enable FWLB. You must enter the commands exactly as shown.
ServerIron-A(config)# ip policy 1 fw tcp 0 global
ServerIron-A(config)# ip policy 2 fw udp 0 global
The following commands add static MAC entries for the firewalls’ interfaces with the ServerIron. The high-priority
and router-type parameters are required for FWLB with Layer 3 firewalls.
ServerIron-A(config)# static-mac-address abcd.da10.dc2c ethernet 1 high-priority
router-type
ServerIron-A(config)# static-mac-address abcd.da10.dc3f ethernet 2 high-priority
router-type
The write memory command saves the configuration changes to the ServerIron’s startup-config file on the
device’s flash memory.
ServerIron-A(config)# write memory
Alternative Configuration for ServerIron A
The example above configures FWLB for NAT firewalls by adding firewall definitions for the IP addresses the NAT
service on the firewalls uses for traffic sent from a client inside the firewalls to a destination outside the firewalls.
Alternatively, you can configure IP access policies that deny load balancing for the NAT addresses. For the
example in Figure 7.1 on page 7-2, you would enter the following commands:
ServerIron-A(config)# ip filter 1 deny any 209.157.23.110 255.255.255.255
ServerIron-A(config)# ip filter 2 deny any 209.157.23.107 255.255.255.255
ServerIron-A(config)# ip filter 1024 permit any any
The first two commands configure policies to deny load balancing for the two NAT addresses. The third command
allows all other traffic to be load balanced.