Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
167168169170171172173174175176
Additional Firewall Configurations
May 31, 2012 © 2012 Brocade Communications Systems, Inc. A - 11
ServerIron B Commands
ServerIronB(config)# ip policy 1 fw tcp 0 global
ServerIronB(config)# ip policy 2 fw udp 0 global
ServerIronB(config)# access-list 101 deny tcp any eq http any
ServerIronB(config)# access-list 101 permit tcp any any
ServerIronB(config)# access-list 101 permit udp any any
ServerIronB(config)# server fw-group 2
ServerIronB(config-tc-2)# acl-id 101
These commands are the same as the commands on ServerIron A, except the first ACL entry matches on TCP
port 80 (eq http) as the destination TCP port on ServerIron A, but matches as the source TCP port on
ServerIron B.
Configuring Failover Tolerance in IronClad
Configurations
By default, failover from the active ServerIron to the standby ServerIron in an IronClad configuration occurs if a
path link on the active ServerIron becomes unavailable. If all the path links are stable, failover is an uncommon
event. However, an unreliable link can cause frequent failover. For example, if a link on a firewall flaps (goes up
and down) frequently, the flapping can cause frequent, unnecessary failovers.
You can reduce the frequency of such failovers by specifying a path link tolerance for firewall paths and for router
paths. The tolerance specifies the minimum number of such paths that must be good in order for the active
ServerIron to remain active. Only if the number of paths is less than the configured minimum and less than the
number of available paths on the other ServerIron does failover occur. If the number of paths remains equal on
each ServerIron, even if some paths are unavailable on each ServerIron, failover does not occur.
The default failover tolerance for firewall paths is one half the configured firewall paths. The default tolerance for
router ports is one half the configured router ports.
To change the minimum number of paths required on a ServerIron, use the following method.
NOTE: The minimum number of required paths must match on each ServerIron in an active-standby pair. For
example, if you specify one router path and three firewall paths as the minimum on the active ServerIron, you must
configure the same minimums on the standby ServerIron.
USING THE CLI
To specify the minimum number of paths required on a ServerIron, enter commands such as the following:
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# prefer-router-cnt 1
ServerIron(config-tc-2)# prefer-cnt 3
This example specifies that a minimum of one router path and three firewall paths must be available for the
ServerIron to remain active. Thus, if the ServerIron has four firewall paths, one path can be unavailable and the
ServerIron will remain the active ServerIron.
Syntax: [no] prefer-router-cnt <num>
Syntax: [no] prefer-cnt <num>
For each command, the <num> parameter specifies the minimum number of paths required.