Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
111112113114115116117118119120
Firewall Load Balancing Guide
7 - 10 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Enabling FWLB
To enable FWLB, you configure global IP policies. FWLB for TCP and UDP is controlled independently, so you
need to configure a separate global IP policy for each type of traffic.
When you enable FWLB for TCP or UDP globally, all ports that are in the firewall group are enabled for FWLB. All
ServerIron ports are in firewall group 2 by default. Thus, if you enable FWLB globally, it affects all physical ports
unless you remove ports from firewall groups.
NOTE: The user interface allows you to enable FWLB locally instead of globally. However, local policies are not
applicable to FWLB. Enable the feature globally.
To enable FWLB globally, use the following method.
USING THE CLI
Enter the following commands at the global CONFIG level to enable FWLB for all TCP and UDP traffic:
ServerIron(config)# ip policy 1 fw tcp 0 global
ServerIron(config)# ip policy 2 fw udp 0 global
Syntax: [no] ip policy <policy-num> fw tcp | udp 0 global
The <policy-num> value identifies the policy and can be a number from 1 – 64.
Each policy affects TCP or UDP traffic, so you must specify tcp or udp.
The value 0 following the tcp | udp parameter specifies that the policy applies to all ports of the specified type
(TCP or UDP). In this command, “0” is equivalent to “any port number”. For FWLB, you must specify “0”.
NOTE: Generally, the firewall itself performs validation and authentication for the traffic, so allowing the
ServerIron to pass all traffic of the specified type (TCP or UDP) to the firewall simplifies configuration.
Specifying the Partner Port
If you are configuring the ServerIron for IronClad FWLB, you need to specify the port number of the dedicated link
between the ServerIron and its partner.
USING THE CLI
To specify the port, enter a command such as the following at the global CLI level:
ServerIron(config)# server fw-port 5
Syntax: [no] server fw-port <portnum>
If the link between the two ServerIrons is a trunk group (recommended for added redundancy), specify the port
number of the primary port. The primary port is the first port in the trunk group.
Specifying the Router Ports
IronClad FWLB configurations require paths to the routers as part of the active-standby configuration for the
ServerIrons. You need to identify the ports on the ServerIron that are attached to the router(s).
USING THE CLI
To identify port 8 on a ServerIron as a router port, enter the following command:
ServerIron(config)# server router-port 8
Syntax: [no] server router-ports <portnum>
NOTE: To define multiple router ports on a switch, enter the port numbers, separated by blanks. You can enter
up to eight router ports in a single command line. To enter more than eight ports, enter the server router-port
command again with the additional ports.