Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
61626364656667686970
Firewall Load Balancing Guide
6 - 2 © 2012 Brocade Communications Systems, Inc. May 31, 2012
in. If you are configuring a ServerIron in zone 1, leave out configuration information for zone 1 and one of the other
zones.
Configuring Basic Multi-Zone FWLB
Figure 6.1 shows an example of a basic multi-zone FWLB configuration. In this example, each ServerIron is in a
separate zone:
ServerIron Zone1-SI is in zone 1. By default, zone 1 contains all IP addresses that are not members of other,
user-configured zones. You can explicitly configure zone 1 but you do not need to. In the CLI configuration
example for this configuration, zone 1 is not configured. ServerIron Zone1-SI contains zone definitions for
zone 2 (the DMZ zone) but not for zone 1 or zone 3.
ServerIron Zone2-SI is in zone 2 (the “DMZ” zone in this example). Zone 2 contains IP addresses in the range
209.157.25.0/24 – 209.157.25.255/24. This ServerIron contains configuration information for zone 3 (the
internal network zone) but does not contain definitions for zone 1 (the external network zone) or zone 2 (the
DMZ zone itself).
ServerIron Zone3-SI is in zone 3 (the “internal network” zone in the example). Zone 3 contains IP addresses
in the range 209.157.23.0/24 – 209.157.23.255/24. This ServerIron contains configuration information for
zone 2 (the DMZ zone) but does not contain definitions for zone 1 (the external network zone) or zone 3 (the
internal network zone itself).
When one of the ServerIrons receives traffic whose destination IP address is in another zone, the ServerIron
selects a path for the traffic based on the zone the destination IP address is in. For example, if a client on the
Internet sends traffic addressed to a server in zone 2, ServerIron Zone1-SI selects a path that sends the traffic
through a firewall to ServerIron Zone2-SI, which forwards the traffic to the server. (ServerIron Zone2-SI can be
configured to load balance traffic across multiple servers or can simply be used as a Layer 2 switch to forward the
traffic to the server.)
When ServerIron Zone2-SI forwards the server’s reply to the client, the ServerIron selects a path to ServerIron
Zone1-SI. ServerIron Zone2-SI knows the traffic goes to zone 1 because the destination IP address of the traffic is
not in its own sub-net (zone 2) or in zone 3.