Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8

161

162

163

164

165

166

167

168

169

170

Configuring FWLB for Layer 2 Firewalls

SI-ActiveA(config-tc-2)# fwall-info 4 2 1.1.1.40 1.1.1.40

SI-ActiveA(config-tc-2)# fwall-info 5 9 1.1.1.1 1.1.1.1

SI-ActiveA(config-tc-2)# exit

The commands below add static entries to the ServerIron’s MAC table for the firewall interfaces. The high-priority

and fixed-host parameters are required.

NOTE: Use the fixed-host parameter only for Layer 2 firewall configurations such as the one in this example.

The parameter “fixes” the address to the ServerIron port you specify and prevents other ports on the ServerIron

from learning it. Use the router-type parameter for all other types of FWLB configurations. The fixed-host

parameter is supported only stackable ServerIrons.

SI-ActiveA(config)# vlan 1

SI-ActiveA(config-vlan-1)# static-mac-address 00e0.5200.3489 ethernet 1 high-

priority fixed-host

SI-ActiveA(config-vlan-1)# static-mac-address 00e0.5202.e282 ethernet 2 high-

priority fixed-host

SI-ActiveA(config-vlan-1)# exit

NOTE: If you enter the command at the global CONFIG level, the static MAC entry applies to the default port-

based VLAN (VLAN 1). If you enter the command at the configuration level for a specific port-based VLAN, the

entry applies to that VLAN and not to the default VLAN.

The commands below globally enable firewall balancing. The “0” parameter is required and enables the ServerIron

to provide FWLB for all packets of the specified type (TCP or UDP). The write memory command saves the

configuration changes made by all these commands to the ServerIron’s startup-config file.

SI-ActiveA(config)# ip policy 1 fw tcp 0 global

SI-ActiveA(config)# ip policy 2 fw udp 0 global

SI-ActiveA(config)# write memory

Commands on Standby ServerIron A (External Standby)

SI-StandbyA(config)# ip address 1.1.1.20/24

SI-StandbyA(config)# ip default-gateway 1.1.1.1

SI-StandbyA(config)# no span

SI-StandbyA(config)# vlan 2 by port

SI-StandbyA(config-vlan-2)# untagged ethernet 13 to 14

SI-StandbyA(config-vlan-2)# exit

SI-StandbyA(config)# trunk switch ethernet 13 to 14

SI-StandbyA(config)# server fw-port 13

SI-StandbyA(config)# server router-port 17

SI-StandbyA(config)# server fw-group 2

SI-StandbyA(config-tc-2)# l2-fwall

SI-StandbyA(config-tc-2)# exit

SI-StandbyA(config)# server fw-name 01fw1 1.1.1.100

SI-StandbyA(config-rs-01fw1)# exit

SI-StandbyA(config)# server fw-name 02fw2 1.1.1.101

SI-StandbyA(config-rs-02fw2)# exit

SI-StandbyA(config)# server fw-group 2

SI-StandbyA(config-tc-2)# sym-priority 1

SI-StandbyA(config-tc-2)# fw-name 01fw1

SI-StandbyA(config-tc-2)# fw-name 02fw2

SI-StandbyA(config-tc-2)# fwall-info 1 1 1.1.1.30 1.1.1.30

SI-StandbyA(config-tc-2)# fwall-info 2 2 1.1.1.30 1.1.1.30

SI-StandbyA(config-tc-2)# fwall-info 3 1 1.1.1.40 1.1.1.40

SI-StandbyA(config-tc-2)# fwall-info 4 2 1.1.1.40 1.1.1.40

SI-StandbyA(config-tc-2)# fwall-info 5 17 1.1.1.1 1.1.1.1

SI-StandbyA(config-tc-2)# exit

SI-StandbyA(config)# vlan 1