Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
21222324252627282930
Configuring Basic FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 4 - 3
This command changes the CLI to firewall group configuration level. The firewall group number is 2. Only one
firewall group is supported.
Syntax: [no] fw-name <string>
Adds a configured firewall to the firewall group.
Configuring the Paths and Adding Static MAC Entries
A path is configuration information the ServerIron uses to ensure that a given source and destination IP pair is
always authenticated by the same Layer 3 firewall.
Each path consists of the following parameters:
The path ID – A number that identifies the path. The paths go from one ServerIron to the other through the
firewalls. On each ServerIron, the sequence of path IDs must be contiguous (with no gaps), starting with path
ID 1. For example, path sequence 1, 2, 3, 4, 5 is valid. Path sequence 1, 3, 5 or 5, 4, 3, 2, 1 is not valid.
The ServerIron port – The number of the port that connects the ServerIron to the firewall. If your configuration
does not require static MAC entries, you can specify a dynamic port (65535) instead of the physical port
number for firewall paths. Specifying the dynamic port allows the ServerIron to select the physical port for the
path so you don’t need to.
The other ServerIron’s or Layer 2 switch’s IP address – The management address of the ServerIron or
Layer 2 switch on the other side of the firewall. The ServerIron on the private network side and the other
ServerIron or Layer 2 switch are the end points of the data path through the firewall.
The next-hop IP address – The IP address of the firewall interface connected to this ServerIron.
For each type of firewall (Layer 3 synchronous and asynchronous, with or without NAT), you must configure paths
between the ServerIrons through the firewalls.
In addition to configuring the paths, you need to create a static MAC entry for each firewall interface attached to
the ServerIron.
NOTE: When defining a firewall router path on a port, make sure the port is a server router-port.
NOTE: FWLB paths must be fully meshed. When you configure a FWLB path on a ServerIron, make sure you
also configure a reciprocal path on the ServerIron attached to the other end of the firewalls. For example, if you
configure four paths to four separate firewalls, make sure you configure four paths on the other ServerIron.
NOTE: For many configurations, static MAC entries are required. Where required, you must add a static MAC
entry for each firewall interface with the ServerIron. The FWLB configuration examples in this guide indicate
whether static MAC entries are required.
To configure a path and add static MAC entries, use one of the following methods.
USING THE CLI
To configure the paths and static MAC entries for the configuration shown in Figure 3.2 on page 3-7, enter the
following commands. Enter the first group of commands on ServerIron A. Enter the second group of commands on
ServerIron B.
Commands for ServerIron A (External)
ServerIron(config)# server fw-group 2
ServerIron(config-tc-2)# fwall-info 1 3 209.157.23.3 209.157.22.3
ServerIron(config-tc-2)# fwall-info 2 5 209.157.23.3 209.157.22.4
ServerIron(config-tc-2)# exit
ServerIron(config)# static-mac-address abcd.4321.34e0 ethernet 3 high-priority
router-type
ServerIron(config)# static-mac-address abcd.4321.34e1 ethernet 5 high-priority
router-type