Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
21222324252627282930
Firewall Load Balancing Guide
4 - 2 © 2012 Brocade Communications Systems, Inc. May 31, 2012
NOTE: The user interface allows you to enable FWLB locally instead of globally. However, local policies are not
applicable to FWLB. Enable the feature globally.
To enable FWLB globally, use the following method.
USING THE CLI
Enter the following commands at the global CONFIG level to enable FWLB for all TCP and UDP traffic:
ServerIron(config)# ip policy 1 fw tcp 0 global
ServerIron(config)# ip policy 2 fw udp 0 global
Syntax: [no] ip policy <policy-num> fw tcp | udp 0 global
The <policy-num> value identifies the policy and can be a number from 1 – 64.
Each policy affects TCP or UDP traffic, so you must specify tcp or udp.
The value 0 following the tcp | udp parameter specifies that the policy applies to all ports of the specified type
(TCP or UDP). In this command, “0” is equivalent to “any port number”. For FWLB, you must specify “0”.
NOTE: Generally, the firewall itself performs validation and authentication for the traffic, so allowing the
ServerIron to pass all traffic of the specified type (TCP or UDP) to the firewall simplifies configuration.
Defining the Firewalls and Adding them to the Firewall Group
When FWLB is enabled, all the ServerIron ports are in firewall group 2 by default. However, you need to add an
entry for each firewall, then add the firewalls to the firewall group. To add an entry for a firewall, specify the firewall
name and IP address. You can specify a name up to 32 characters long.
To define the firewalls shown in Figure 3.2 on page 3-7 and add them to firewall group 2, use the following method.
USING THE CLI
To define the firewalls using the CLI, enter the following commands.
Commands for ServerIron A (External)
ServerIron(config)# server fw-name FW1-IPin 209.157.22.3
ServerIron(config-rs-FW1-IPin)# exit
ServerIron(config)# server fw-name FW2-IPin 209.157.22.4
ServerIron(config-rs-FW2-IPin)# exit
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# fw-name FW1-IPin
ServerIron(config-tc-2)# fw-name FW2-IPin
Commands for ServerIron B (Internal)
ServerIron(config)# server fw-name FW1-IPout 209.157.23.1
ServerIron(config-rs-FW1-IPout)# exit
ServerIron(config)# server fw-name FW2-IPout 209.157.23.2
ServerIron(config-rs-FW2-IPout)# exit
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# fw-name FW1-IPout
ServerIron(config-tc-2)# fw-name FW2-IPout
Syntax: [no] server fw-name <string> <ip-addr>
NOTE: When you add a firewall name, the CLI level changes to the Firewall level. This level is used when you
are configuring stateful FWLB.
Syntax: server fw-group 2