Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

141

142

143

144

145

146

147

148

149

150

ServerIron ADX Firewall Load Balancing Guide 131

53-1002436-01

Configuration example for IronClad FWLB with Layer 3 NAT firewalls

DRAFT: BROCADE CONFIDENTIAL

The third parameter is the IP address of the ServerIron ADX at the other end of the path or, for

paths to routers, the IP address of the router’s interface with the ServerIron ADX. Note that each

ServerIron ADX has a path to each of the ServerIron ADXs in the other pair, but does not have a

path to its own standby pair.

The fourth parameter is the IP address of the firewall or router interface with this ServerIron ADX.

Notice that the ServerIron ADX has two paths for each firewall. One of the paths goes to the active

ServerIron ADX in the other pair. The other path goes to the standby ServerIron ADX in the pair. In

the case of the path to the router, the third and fourth parameters have the same value.

SI-ActiveA(config-fw-2)# fwall-info 1 1 3.3.3.20 192.168.1.2

SI-ActiveA(config-fw-2)# fwall-info 2 2 3.3.3.20 192.168.1.3

SI-ActiveA(config-fw-2)# fwall-info 3 1 4.4.4.20 192.168.1.2

SI-ActiveA(config-fw-2)# fwall-info 4 2 4.4.4.20 192.168.1.3

SI-ActiveA(config-fw-2)# fwall-info 5 8 192.168.1.1 192.168.1.1

SI-ActiveA(config-fw-2)# exit

The following commands add static entries to the ServerIron ADX’s MAC table for the firewall

interfaces. The priority 1 and router-type parameters are required for FWLB.

SI-ActiveA(config)# vlan 1

SI-ActiveA(config-vlan-1)# static-mac-address abcd.4321.2498 ethernet 1 priority

1 router-type

SI-ActiveA(config-vlan-1)# static-mac-address abcd.4321.a53c ethernet 2 priority

1 router-type

SI-ActiveA(config-vlan-1)# exit

NOTE

If you enter the command at the global CONFIG level, the static MAC entry applies to the default

port-based VLAN (VLAN 1). If you enter the command at the configuration level for a specific

port-based VLAN, the entry applies to that VLAN and not to the default VLAN.

Alternative configuration for active ServerIron ADX A

The previous example configures FWLB for NAT firewalls by adding firewall definitions for the IP

addresses the NAT service on the firewalls uses for traffic sent from a client inside the firewalls to a

destination outside the firewalls.

Alternatively, you can configure IP access policies that deny load balancing for the NAT addresses.

For the example in

Figure 19 on page 122, you would enter the following commands.

ServerIronADX-A(config)# ip filter 1 deny any 192.168.2.3 255.255.255.255

ServerIronADX-A(config)# ip filter 2 deny any 192.168.3.2 255.255.255.255

ServerIronADX-A(config)# ip filter 1024 permit any any

The first two commands configure policies to deny load balancing for the two NAT addresses. The

third command allows all other traffic to be load balanced.

NOTE

The third policy, which permits all traffic, is required because once you define an access policy, the

default action for packets that do not match a policy is to deny them. Thus, if you configure only the

first two policies and not the third one, you actually disable load balancing altogether by denying the

load balancing for all packets.

The other commands are the same as in the previous section.