Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
167168169170171172173174175176
Firewall Load Balancing Guide
A - 10 © 2012 Brocade Communications Systems, Inc. May 31, 2012
disable FWLB for HTTP traffic. To disable FWLB for an application, configure an extended ACL at the firewall
group configuration level.
NOTE: When you configure an ACL at the firewall group configuration level, a deny action does not cause the
ServerIron to drop the denied packet. In this type of configuration, a deny action denies FWLB service for the
packet, so that the ServerIron leaves the destination MAC address of the packet unchanged.
NOTE: This section focuses on using extended ACLs to deny FWLB based on TCP or UDP port. However, you
also can use standard ACLs at the firewall group configuration level to deny FWLB based on IP address.
Configuration Guidelines
Global IP policies to enable FWLB are still required. You must enable FWLB globally for all TCP traffic and all
UDP traffic.
Configure extended ACLs at the firewall group configuration level to deny FWLB for specific applications.
Configure a permit ACL to allow all applications. Once you configure an ACL, the default action changes from
permit to deny. As a result, if you do not configure the permit ACL for all traffic types, FWLB is denied for all
traffic. Make sure the permit ACL for all traffic is the last ACL, after all the deny ACLs.
Configure the deny ACLs for each direction of traffic for which you want to deny FWLB. In Figure A.1,
configure a deny ACL on ServerIron A to deny FWLB for packets addressed to destination TCP port 80
(HTTP). To deny FWLB for the return traffic, configure a deny ACL on ServerIron B to deny packets from
source TCP port 80.
Denying FWLB
To deny FWLB for an application, enter commands such as the following. These commands configure the
ServerIrons in Figure A.1 to deny FWLB for HTTP traffic, in both directions. On ServerIron A, FWLB is denied for
traffic addressed to TCP port 80. On ServerIron B, FWLB is denied for traffic from TCP port 80.
ServerIron A Commands
ServerIronA(config)# ip policy 1 fw tcp 0 global
ServerIronA(config)# ip policy 2 fw udp 0 global
ServerIronA(config)# access-list 101 deny tcp any any eq http
ServerIronA(config)# access-list 101 permit tcp any any
ServerIronA(config)# access-list 101 permit udp any any
ServerIronA(config)# server fw-group 2
ServerIronA(config-tc-2)# acl-id 101
The first two commands globally enable FWLB for all TCP and UDP applications. These commands are required.
The following commands configure three ACL entries. The first entry denies FWLB for packets addressed to TCP
port 80 (HTTP). The second ACL permits FWLB for all TCP applications. Packets that do not match the first ACL
entry match the second ACL entry and are provided with FWLB. The third ACL permits FWLB for all UDP
applications. The last two commands change the CLI level to the firewall group configuration level and apply ACL
101 to the firewall group.
Syntax: [no] access-list <num> deny | permit <ip-protocol> <source-ip> | <hostname> <wildcard> [<operator>
<source-tcp/udp-port>] <destination-ip> | <hostname> <wildcard> [<operator> <destination-tcp/udp-port>]
[precedence <name> | <num>] [tos <name> | <num>] [log]
Syntax: [no] acl-id <num>
For detailed information about the ACL syntax, see the “Access Control List” chapter in the ServerIron
TrafficWorks Security Guide.