Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8

167

168

169

170

171

172

173

174

175

176

Additional Firewall Configurations

Figure A.1 FWLB Denied for Application Traffic

In this example, the network is configured as follows:

• The WAN access router has a default route that identifies IP address 209.157.22.3 on FW1 as the next-hop

gateway.

• The LAN router has a default route that identifies IP address 209.157.23.1 (also on FW1) as the next-hop

gateway.

• ServerIron A has an extended ACL at the firewall group configuration level that denies FWLB for packets

addressed to destination TCP port 80.

• ServerIron B has an extended ACL at the firewall group configuration level that denies FWLB for packets from

source TCP port 80.

Notice that the routers use default routes to send traffic to a specific firewall. However, the default routes do not

necessarily determine the firewall to which the ServerIron sends the traffic. When the ServerIron performs load

balancing for a packet and selects a firewall for the traffic, the ServerIron also changes the destination MAC

address of the packet to the MAC address of the firewall selected by the ServerIron. For example, in Figure A.1, if

ServerIron A selects firewall FW2 for a packet, the ServerIron changes the destination MAC address of the packet

to abcd.4321.34e1,the MAC address of firewall FW2’s interface with ServerIron A. As a result, even if the WAN

access router addresses a packet to the MAC address for firewall FW1, the ServerIron does not send the packet to

firewall FW1 unless the load balancing mechanism selects that firewall. In either case, the ServerIron changes the

destination MAC address of the packet.

If you want to ensure that all packets for an application go to a specific firewall (as specified in the default route on

the router), you must deny FWLB service for that application. For example, if you have configured firewall FW1 to

collect statistics on HTTP traffic and you therefore want to send all the HTTP traffic to firewall FW1, you must

Internet

Firewall

FW2

Port e5

Firewall

FW1

Port e1

Port e2

Port e3

IP: 209.157.23.1

MAC: abcd.4321.34e2

IP:

MAC:

209.157.23.2

abcd.4321.34e3

IP: 209.157.22.3

MAC: abcd.4321.34e0

LAN Router

Contains default route

that uses 209.157.23.1

(FW1) as the next-hop

gateway.

ServerIron B

209.157.23.3

Contains ACL to deny FWLB

for traffic with source TCP

port 80 (HTTP).

IP: 209.157.22.4

MAC: abcd.4321.34e1

ServerIron A

209.157.22.2

Contains ACL to deny FWLB

for traffic with destination TCP

port 80 (HTTP).

Firewall FW1 receives

all HTTP traffic.

WAN Access Router

Contains default route

that uses 209.157.22.3

(FW1) as the next-hop

gateway.