Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
167168169170171172173174175176
Additional Firewall Configurations
May 31, 2012 © 2012 Brocade Communications Systems, Inc. A - 7
The <start-num> parameter specifies the starting port number in the range. Specify the port number at the lower
end of the range.
The <end-num> parameter specifies the ending port number in the range. Specify the port number at the higher
end of the range.
Overriding the Global Hash Values
By default, the ServerIron uses the hash mask you configure for the firewall group for all hash-based load
balancing of firewall traffic. You can override the global hash mask for specific traffic based on source or
destination address information.
Here is a CLI example:
ServerIron(config)# access-list 100 permit ip any 192.168.1.16 0.0.0.15
ServerIron(config)# access-list 100 permit ip any 192.168.2.0 0.0.0.255
ServerIron(config)# access-list 100 permit ip any 192.168.3.192 0.0.0.63
ServerIron(config)# access-list 100 permit ip any 192.168.4.0 0.0.0.255
ServerIron(config)# access-list 100 permit ip any 192.168.3.160 0.0.0.31
ServerIron(config)# access-list 100 permit ip any 192.168.3.0 0.0.0.127
ServerIron(config)# access-list 100 permit ip any 64.129.1.0 0.0.0.255
ServerIron(config)# server fw-group-2
ServerIron(config-tc-2)# hash-mask 255.255.255.255 0.0.0.0
ServerIron(config-tc-2)# policy-hash-acl 100 255.255.255.255 255.255.255.255
In this example, FWLB will use the hash mask 255.255.255.255 0.0.0.0 for all traffic except the traffic that
matches ACL 100.
Syntax: [no] server policy-hash-acl <acl-id> <dst-mask> <src-mask>
The <acl-id> parameter specifies a standard or extended ACL. Configure each entry in the ACL to permit the
addresses for which you want to override the global hash mask.
The <dst-mask> parameter species the destination mask.
The <src-mask> parameter species the source mask.
For information about configuring standard and extended ACLs, see the "Access Control List" chapter in the
ServerIron TrafficWorks Security guide.
Configuring Weighted Load Balancing
You can assign weights to your firewalls, to bias the load balancing in favor of certain firewalls.
Weight
The weight you assign to a firewall determines the percentage of the current connections that are given to that
firewall. For example, in a configuration with five firewalls of various weights, the percentage of connections is
calculated as follows:
Weight fwall1 = 7
Weight fwall2 = 8
Weight fwall3 = 2
Weight fwall4 = 2
Weight fwall5 = 5
Total weight of all firewalls = 24