Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
11121314151617181920
Firewall Load Balancing Guide
3 - 2 © 2012 Brocade Communications Systems, Inc. May 31, 2012
“Static Route Environments” on page 3-2
“Layer 2 Firewall Environments” on page 3-2
Synchronous Firewall Environments
In general, firewalls that are synchronized allow the in and out traffic of conversations to pass through multiple
firewalls. The firewalls exchange information about the conversation so that the inbound or outbound traffic for the
conversation does not need to be revalidated each time it tries to use a different firewall. Although the firewalls
themselves are synchronized, you will still need to configure paths on the ServerIrons.
Asynchronous Firewall Environments
Asynchronous firewalls do not exchange information about conversations. Traffic must be revalidated each time it
arrives at a new firewall. Path information you configure on the ServerIron provides synchronization for the
asynchronous firewalls, thus reducing the overhead caused by needless revalidations.
NAT Firewall Environments
Firewalls that perform NAT can translate private network addresses (for example, 10.0.0.1) on the private side of
the firewall into Internet addresses (for example, 209.157.22.26) on the public side of the firewall.
Dynamic Route Environments
ServerIrons in IronClad (high-availability) configurations automatically block Layer 3 route traffic at the backup
ServerIron to avoid loops, thus simplifying configuration in these environments. See “Router Paths” on page 3-9.
Static Route Environments
Firewalls in static route environments have static or default routes, as do the external (Internet) and internal
routers.
Layer 2 Firewall Environments
Layer 2 firewalls do not route (as Layer 3 firewalls do), so the path configuration is slightly different from the path
configuration for Layer 3 firewalls.
NOTE: In all types of FWLB configurations, the ServerIrons must be able to reach the firewalls at Layer 2. Thus
the firewalls must be directly attached to the ServerIrons or attached to them through Layer 2 devices.
Load Balancing Paths
To send traffic through firewalls, the ServerIron uses paths. A path consists of the following information:
Path ID
The path ID is a number that identifies the path. In a basic FWLB configuration, the paths go from one
ServerIron to the other through the firewalls. In IronClad FWLB, additional paths go to routers. On each
ServerIron, the path IDs must be contiguous (with no gaps), starting with path ID 1.
ServerIron port
The number of the port that connects the ServerIron to the firewall.
Destination IP address
The management address of the ServerIron or Layer 2 switch on the other side of the firewall. The ServerIron
on the private network side and the other ServerIron or Layer 2 switch are the end points of the data path
through the firewall. If the path goes to a router, this parameter is the IP address of the firewall’s interface with
the ServerIron.
Next-hop IP address
The IP address of the firewall interface connected to this ServerIron.