Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
121122123124125126127128129130
Configuring FWLB for NAT Firewalls
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 7 - 19
Alternative Configuration for Standby ServerIron A
The example above configures FWLB for NAT firewalls by adding firewall definitions for the IP addresses the NAT
service on the firewalls uses for traffic sent from a client inside the firewalls to a destination outside the firewalls.
Alternatively, you can configure IP access policies that deny load balancing for the NAT addresses. For the
example in Figure 7.2 on page 7-9, you would enter the following commands:
SI-StandbyA(config)# ip filter 1 deny any 192.168.2.3 255.255.255.255
SI-StandbyA(config)# ip filter 2 deny any 192.168.3.2 255.255.255.255
SI-StandbyA(config)# ip filter 1024 permit any any
The first two commands configure policies to deny load balancing for the two NAT addresses. The third command
allows all other traffic to be load balanced.
NOTE: The third policy, which permits all traffic, is required because once you define an access policy, the
default action for packets that do not match a policy is to deny them. Thus, if you configure only the first two
policies and not the third one, you actually disable load balancing altogether by denying the load balancing for all
packets.
The other commands are the same as in the previous section.
Commands on Active ServerIron B (Internal Active)
SI-ActiveB(config)# ip address 3.3.3.20/24
SI-ActiveB(config)# ip default-gateway 4.4.4.11
SI-ActiveB(config)# vlan 10 by port
SI-ActiveB(config-vlan-10)# untagged 5 to 6
SI-ActiveB(config-vlan-10)# exit
SI-ActiveB(config)# trunk switch ethernet 5 to 6
SI-ActiveB(config)# server router-port 8
SI-ActiveB(config)# server fw-port 5
SI-ActiveB(config)# server fw-name fw2-1 4.4.4.10
SI-ActiveB(config-rs-fw2-1)# exit
SI-ActiveB(config)# server fw-name fw2-2 4.4.4.11
SI-ActiveB(config-rs-fw2-2)# exit
SI-ActiveB(config)# server fw-group 2
SI-ActiveB(config-tc-2)# sym-priority 255
SI-ActiveB(config-tc-2)# fw-name fw2-1
SI-ActiveB(config-tc-2)# fw-name fw2-2
SI-ActiveB(config-tc-2)# fwall-info 1 1 192.168.2.10 4.4.4.10
SI-ActiveB(config-tc-2)# fwall-info 2 2 192.168.2.10 4.4.4.11
SI-ActiveB(config-tc-2)# fwall-info 3 1 192.168.1.10 4.4.4.10
SI-ActiveB(config-tc-2)# fwall-info 4 2 192.168.1.10 4.4.4.11
SI-ActiveB(config-tc-2)# fwall-info 5 8 4.4.4.30 4.4.4.30
SI-ActiveB(config-tc-2)# exit
SI-ActiveB(config)# vlan 1
SI-ActiveB(config-vlan-1)# static-mac-address abcd.4321.249b ethernet 1 high-
priority router-type
SI-ActiveB(config-vlan-1)# static-mac-address abcd.4321.a53f ethernet 2 high-
priority router-type
SI-ActiveB(config-vlan-1)# exit
SI-ActiveB(config)# ip policy 1 fw tcp 0 global
SI-ActiveB(config)# ip policy 2 fw udp 0 global
SI-ActiveB(config)# write memory