Technical data
Configuring Multizone FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 6 - 19
Configuration Examples with Layer 3 Routing
NOTE: Layer 3 routing is supported only on ServerIron Chassis devices running software release 08.0.00 or
later.
This section shows examples of commonly used ServerIron multizone FWLB deployments with Layer 3
configurations. The ServerIrons in these examples perform Layer 3 routing in addition to Layer 2 and Layer 4 – 7
switching.
Generally, the steps for configuring Layer 4 – 7 features on a ServerIron running Layer 3 are similar to the steps on
a ServerIron that is not running Layer 3. The examples focus on the Layer 3 aspects of the configurations.
This section contains the following configuration examples:
• “Multizone FWLB with One Sub-net and One Virtual Routing Interface” on page 6-19
• “Multizone FWLB with Multiple Sub-nets and Multiple Virtual Routing Interfaces” on page 6-28
NOTE: The multizone FWLB configurations shown in these examples are the ones that are supported. If you
need to use the ServerIron’s Layer 3 routing support in a FWLB configuration that is not shown, contact Brocade
Communications Systems.
Multizone FWLB with One Sub-net and One Virtual Routing
Interface
Multizone FWLB allows you to configure ServerIrons to forward packets based on the destination zone. For
example, if your network consists of an Internet side, an internal side, and a Demilitarized Zone (DMZ) in between,
you can configure ServerIrons to forward packets through the firewalls to the correct zone.
When you configure multi-zone FWLB, you first identify a zone by configuring standard ACLs. An ACL specifies
the IP addresses (or address ranges) within the zone. When you configure the firewall group parameters, you add
the zones and define them by associating the ACLs with them. Each zone consists of a zone number, an optional
name, and a standard IP ACL that specifies the IP addresses contained in the zone.
Figure 6.4 shows an example of a multizone configuration for three zones:
• Zone 1 – The default zone. All sub-nets that you do not configure to be members of the other zones are by
default members of zone 1. Generally, the default zone is on the public (non-secure) side of the firewalls.
• Zone 2 – A secured zone containing two application servers.
• Zone 3 – Another secured zone containing an additional application server.
The ServerIrons in zone 1 perform FWLB for traffic between zone 1 and zones 2 and 3.