Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
151152153154155156157158159160
Configuring FWLB for Layer 2 Firewalls
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 10 - 9
NOTE: The user interface allows you to enable FWLB locally instead of globally. However, local policies are not
applicable to FWLB. Enable the feature globally.
To enable FWLB globally, use the following method.
USING THE CLI
Enter the following commands at the global CONFIG level to enable FWLB for all TCP and UDP traffic:
ServerIron(config)# ip policy 1 fw tcp 0 global
ServerIron(config)# ip policy 2 fw udp 0 global
Syntax: [no] ip policy <policy-num> fw tcp | udp 0 global
The <policy-num> value identifies the policy and can be a number from 1 – 64.
Each policy affects TCP or UDP traffic, so you must specify tcp or udp.
The value 0 following the tcp | udp parameter specifies that the policy applies to all ports of the specified type
(TCP or UDP). In this command, “0” is equivalent to “any port number”. For FWLB, you must specify “0”.
NOTE: Generally, the firewall itself performs validation and authentication for the traffic, so allowing the
ServerIron to pass all traffic of the specified type (TCP or UDP) to the firewall simplifies configuration.
Configuration Example for FWLB with Layer 2
Firewalls
This section shows the ServerIron CLI commands for implementing the configuration shown in Figure 10.1 on
page 10-2. Note that the configuration steps for the ServerIrons are similar to those required for the IronClad
configuration shown in 8-1 (Layer 3 firewalls in a static route environment).
Commands on Active ServerIron A (External Active)
SI-ActiveA(config)# ip address 1.1.1.10/24
SI-ActiveA(config)# ip default-gateway 1.1.1.1
The commands above add a management IP address and default gateway address to the ServerIron. For the
configuration in this example, the ServerIron needs to be in only one sub-net, so additional IP addresses are not
added. However, the IP address must be in the same sub-net as the ServerIron’s interface to the Layer 2 firewalls.
SI-ActiveA(config)# no span
The no span command disables the Spanning Tree Protocol (STP). You must disable STP on all the devices in a
Layer 2 FWLB configuration such as the one in this example.
SI-ActiveA(config)# vlan 2 by port
SI-ActiveA(config-vlan-2)# untagged ethernet 13 to 14
SI-ActiveA(config-vlan-2)# exit
The commands above configure a port-based VLAN (separate Layer 2 broadcast domain) for the dedicated link to
the partner ServerIron (the other ServerIron in the active-standby pair). The partner link must be in a separate
Layer 2 broadcast domain.
SI-ActiveA(config)# trunk switch ethernet 13 to 14
The trunk command creates a trunk group for the ports that connect this ServerIron to its partner. (These are the
ports configured in the separate Layer 2 VLAN above.) Using a trunk group for the link between the active and
standby ServerIrons is not required, but using a trunk group adds an additional level of redundancy for enhanced
availability. If one of the ports in a trunk group goes down, the link remains intact as long as the other port remains
up. Since the trunk group is between two ServerIron switches, make sure you configure a switch trunk group, not a
server trunk group.
SI-ActiveA(config)# server fw-port 13