Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
111112113114115116117118119120
Firewall Load Balancing Guide
7 - 8 © 2012 Brocade Communications Systems, Inc. May 31, 2012
NOTE: The third policy, which permits all traffic, is required because once you define an access policy, the
default action for packets that do not match a policy is to deny them. Thus, if you configure only the first two
policies and not the third one, you actually disable load balancing altogether by denying the load balancing for all
packets.
The other commands are the same as in the previous section.
CLI Commands on ServerIron B (Internal)
To following CLI commands configure ServerIron B in Figure 7.1. Notice that this ServerIron is not configured to
deny load balancing for the NAT addresses used by the firewalls. This ServerIron sees only the internal
addresses, not the NAT addresses.
ServerIron-B(config)# hostname ServerIron-B
ServerIron-B(config)# ip address 10.10.10.30 255.255.255.0
ServerIron-B(config)# ip default-gateway 10.10.10.10
ServerIron-B(config)# no span
ServerIron-B(config)# server fw-name fw1 10.10.10.10
ServerIron-B(config-rs-fw1)# exit
ServerIron-B(config)# server fw-name fw2 10.10.10.11
ServerIron-B(config-rs-fw2)# exit
ServerIron-B(config)# server fw-group 2
ServerIron-B(config-tc-2)# fw-name fw1
ServerIron-B(config-tc-2)# fw-name fw2
ServerIron-B(config-tc-2)# fwall-info 1 1 209.157.23.106 10.10.10.10
ServerIron-B(config-tc-2)# fwall-info 2 2 209.157.23.106 10.10.10.11
ServerIron-B(config-tc-2)# exit
ServerIron-B(config)# static-mac-address abcd.da68.6655 ethernet 1 high-priority
router-type
ServerIron-B(config)# static-mac-address abcd.da68.6104 ethernet 2 high-priority
router-type
ServerIron-B(config)# ip policy 1 fw tcp 0 global
ServerIron-B(config)# ip policy 2 fw udp 0 global
Configuring IronClad Layer 3 FWLB for NAT
Figure 7.2 shows an example of an IronClad FWLB configuration for Layer 3 NAT firewalls. The procedures and
CLI configuration example in this section are based on this sample configuration.
NOTE: The configuration steps for firewalls that perform NAT are identical to the steps for basic and IronClad
FWLB without NAT, with just one additional step. The additional step disables load balancing for the NAT
addresses. See “Preventing Load Balancing of the NAT Addresses” on page 7-15.