Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
61626364656667686970
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 6 - 1
Chapter 6
Configuring Multizone FWLB
Multi-zone FWLB allows you to configure ServerIrons to forward packets based on the destination zone. For
example, if your network consists of an Internet side, an internal side, and a Demilitarized Zone (DMZ) in between,
you can configure ServerIrons to forward packets through the firewalls to the correct zone.
When you configure multi-zone FWLB, you first identify a zone by configuring standard Access Control Lists
(ACLs). An ACL specifies the IP addresses (or address ranges) within the zone. When you configure the firewall
group parameters, you add the zones and define them by associating the ACLs with them. Each zone consists of
a zone number, an optional name, and a standard ACL that specifies the IP addresses contained in the zone.
You can configure multi-zone FWLB for basic configurations and IronClad (high-availability) configurations. This
section provides an example for each type of configuration.
Zone Configuration
When the ServerIron forwards a packet, it selects a path that goes through a firewall to a ServerIron that is in the
zone that contains the destination IP address of the packet.
The configuration tasks for multi-zone FWLB are the same as other FWLB implementations, with the exception of
configuration for the zones.
When you configure zones:
Do not define zone 1. When zone 1 is undefined, the zone by default contains all IP addresses that are not
explicitly configured as members of other zones (zones 2 – 10). In typical configurations, the ServerIrons in
the DMZ and internal network contain zone definitions for each other, while none of the ServerIrons contains
a zone definition for zone 1 (thus leaving zone 1 undefined). As a result, traffic that is not destined for an
address in the DMZ or the internal network is sent to the Internet.
You can define zone 1 if you want to, but if you do, this zone contains only the IP address ranges you
configure for the zone.
Do not configure zone information on a ServerIron for the zone the ServerIron is in.
On the DMZ ServerIron(s), configure zone definitions for the zone(s) in the internal network and other DMZs,
if applicable.
On the internal ServerIron(s), configure zone definitions for the zone(s) in the DMZ(s), and other internal
networks, if applicable.
Generally, each ServerIron should contain definitions for two less zones than the total number of zones in the
network. The two zones you leave out are zone 1 (which remains undefined) and the zone the ServerIron itself is