Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
151152153154155156157158159160
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 10 - 1
Chapter 10
Configuring FWLB for Layer 2 Firewalls
The steps for configuring IronClad FWLB for Layer 2 firewalls are similar to those for configuring Layer 3 FWLB for
static routes. In addition to the basic FWLB configurations steps, perform the following steps:
On each ServerIron, configure all the ports connected to all the firewalls as a trunk group.
Disable the Spanning Tree Protocol (STP). STP is enabled by default on the ServerIron.
Disable Layer 2 traffic on the standby ServerIrons. To do so, you specify the L2-fwall option on each
ServerIron (both active and standby). This step is required because all traffic on the standby firewalls in a
static route configuration must be blocked. Normally, the standby ServerIron blocks only routing protocol
packets but allows other types of packets to pass through the device. In a static route configuration, you need
to block all the traffic from passing through the standby ServerIron. If you do not enable this mode to block the
traffic, loops can occur.
You must enable the L2-fwall option on all the ServerIron in the configuration, whether they are active or
standby by default.
In addition, when you configure the paths through the firewalls to the other ServerIrons, you do not specify the
firewall IP address as the next hop. Instead, you specify the IP address of the other ServerIron as the path’s next
hop, as well as the path destination.
Configuring FWLB for Layer 2 Firewalls
Figure 10.1 on page 10-2 shows an example of an IronClad FWLB configuration for Layer 2 firewalls.
NOTE: This example is for an IronClad configuration. However, you also can configure ServerIrons for basic
FWLB with Layer 2 firewalls.
As shown in this example, the Internet router has two static routes. One of the static routes goes to the router
interface connected to the internal ServerIrons on the other side of the firewalls. The other static route goes to the
network on the other side of the internal network router.
The internal network router has a default route that goes to the IP interface on the Internet router that is connected
to the ServerIrons.
The IP interface on each router that is connected to ServerIrons is a virtual interface. On Brocade Layer 3 Switchs,
you can configure the same IP address on multiple ports if you configure the ports in a port-based VLAN, add a
virtual interface to the VLAN, and then configure the IP address on the virtual interface. The configuration example
at the end of this section includes the CLI commands for configuring the interface.