Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
71727374757677787980
Configuring Multizone FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 6 - 7
Zone2-SI(config)# exit
Zone2-SI# reload
Commands on Zone3-SI in Zone 3
The following commands configure ServerIron “Zone3-SI” in zone 3 in Figure 6.2 on page 6-8. The configuration is
similar to the ones for the other ServerIrons, with the following exceptions:
The management IP address is different.
The default gateway goes to an interface on FW2.
The paths are different due to the ServerIron’s placement in the network.
An ACL and zone definition are configured for zone 2. Since this ServerIron is in zone 3, the configuration
does not include an ACL and zone definition for the zone. This ServerIron also does not contain an ACL or
zone definition for zone 1. As a result, by default this ServerIron forwards packets that are not addressed to
the ServerIron’s own sub-net or to a sub-net in zone 2, to zone 1.
ServerIron(config)# hostname Zone3-SI
Zone3-SI(config)# ip address 209.157.23.11 255.255.255.0
Zone3-SI(config)# ip default-gateway 209.157.23.1
Zone3-SI(config)# no span
Zone3-SI(config)# ip policy 1 fw tcp 0 global
Zone3-SI(config)# ip policy 2 fw udp 0 global
Zone3-SI(config)# server router-ports 5
Zone3-SI(config)# server fw-name FW1 209.157.23.1
Zone3-SI(config-rs-FW1)# exit
Zone3-SI(config)# server fw-name FW2 209.157.23.254
Zone3-SI(config-rs-FW2)# exit
Zone3-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.255
Zone3-SI(config)# server fw-group 2
Zone3-SI(config-tc-2)# fwall-zone Zone2 2 2
Zone3-SI(config-tc-2)# fw-name FW1
Zone3-SI(config-tc-2)# fw-name FW2
Zone3-SI(config-tc-2)# fwall-info 1 16 209.157.24.13 209.157.23.1
Zone3-SI(config-tc-2)# fwall-info 2 1 209.157.24.13 209.157.23.254
Zone3-SI(config-tc-2)# fwall-info 3 16 209.157.25.15 209.157.23.1
Zone3-SI(config-tc-2)# fwall-info 4 1 209.157.25.15 209.157.23.254
Zone3-SI(config-tc-2)# fwall-info 5 5 209.157.23.15 209.157.23.15
Zone3-SI(config-tc-2)# exit
Zone3-SI(config)# static-mac-address abcd.5200.3489 ethernet 16 high-priority
router-type
Zone3-SI(config)# static-mac-address abcd.5200.0b4c ethernet 1 high-priority router-
type
Zone3-SI(config)# write memory
Zone3-SI(config)# exit
Zone3-SI# reload
Configuring IronClad Multi-Zone FWLB
Figure 6.2 on page 6-8 shows an example of an IronClad (high-availability) multi-zone FWLB configuration. This
example has the same zones as the basic example in Figure 6.1 on page 6-3, but in the IronClad configuration
each zone contains a pair of active-standby ServerIrons instead of a single ServerIron.
In this configuration, the ServerIrons on the left side of Figure 6.1 are the active ServerIrons. The ServerIrons on
the right are the standby ServerIrons. Each active-standby pair is connected by a private link, which the
ServerIrons use to exchange failover information. The ports used by the private links are in their own port-based
VLAN, separate from the other ServerIron ports. Add the ports as untagged ports. For added redundancy, the
private links also are configured as two-port trunk groups.