Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8

121

122

123

124

125

126

127

128

129

130

Firewall Load Balancing Guide

SI-ActiveA(config)# ip policy 1 fw tcp 0 global

SI-ActiveA(config)# ip policy 2 fw udp 0 global

SI-ActiveA(config)# write memory

Alternative Configuration for Active ServerIron A

The example above configures FWLB for NAT firewalls by adding firewall definitions for the IP addresses the NAT

service on the firewalls uses for traffic sent from a client inside the firewalls to a destination outside the firewalls.

Alternatively, you can configure IP access policies that deny load balancing for the NAT addresses. For the

example in Figure 7.2 on page 7-9, you would enter the following commands:

ServerIron-A(config)# ip filter 1 deny any 192.168.2.3 255.255.255.255

ServerIron-A(config)# ip filter 2 deny any 192.168.3.2 255.255.255.255

ServerIron-A(config)# ip filter 1024 permit any

The first two commands configure policies to deny load balancing for the two NAT addresses. The third command

allows all other traffic to be load balanced.

NOTE: The third policy, which permits all traffic, is required because once you define an access policy, the

default action for packets that do not match a policy is to deny them. Thus, if you configure only the first two

policies and not the third one, you actually disable load balancing altogether by denying the load balancing for all

packets.

The other commands are the same as in the previous section.

Commands on Standby ServerIron A (External Standby)

SI-StandbyA(config)# ip address 192.168.2.10/24

SI-StandbyA(config)# ip default-gateway 192.168.2.2

SI-StandbyA(config)# vlan 10 by port

SI-StandbyA(config-vlan-10)# untagged 5 to 6

SI-StandbyA(config-vlan-10)# exit

SI-StandbyA(config)# trunk switch ethernet 5 to 6

SI-StandbyA(config)# server router-port 8

SI-StandbyA(config)# server fw-port 5

SI-StandbyA(config)# server fw-name fw2-1 192.168.2.2

SI-StandbyA(config-rs-fw2-1)# exit

SI-StandbyA(config)# server fw-name fw2-2 192.168.2.3

SI-StandbyA(config-rs-fw2-2)# exit

SI-StandbyA(config)# server fw-group 2

SI-StandbyA(config-tc-2)# sym-priority 1

SI-StandbyA(config-tc-2)# fw-name fw1

SI-StandbyA(config-tc-2)# fw-name fw2

SI-StandbyA(config-tc-2)# fwall-info 1 1 3.3.3.20 192.168.2.2

SI-StandbyA(config-tc-2)# fwall-info 2 2 3.3.3.20 192.168.2.3

SI-StandbyA(config-tc-2)# fwall-info 3 1 4.4.4.20 192.168.2.2

SI-StandbyA(config-tc-2)# fwall-info 4 2 4.4.4.20 192.168.2.3

SI-StandbyA(config-tc-2)# fwall-info 5 8 192.168.2.1 192.168.2.1

SI-StandbyA(config-tc-2)# exit

SI-StandbyA(config)# vlan 1

SI-StandbyA(config-vlan-1)# static-mac-address abcd.4321.a53d ethernet 2 high-

priority router-type

SI-StandbyA(config-vlan-1)# static-mac-address abcd.4321.2499 ethernet 1 high-

priority router-type

SI-StandbyA(config-vlan-1)# exit

SI-StandbyA(config)# ip policy 1 fw tcp 0 global

SI-StandbyA(config)# ip policy 2 fw udp 0 global

SI-StandbyA(config)# write memory