Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 186
- Page / 188
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
ServerIron ADX Firewall Load Balancing Guide 175
53-1002436-01
Denying FWLB for specific applications
A
DRAFT: BROCADE CONFIDENTIAL
• ServerIron ADX A has an extended ACL at the firewall group configuration level that denies
FWLB for packets addressed to destination TCP port 80.
• ServerIron ADX B has an extended ACL at the firewall group configuration level that denies
FWLB for packets from source TCP port 80.
Notice that the routers use default routes to send traffic to a specific firewall. However, the default
routes do not necessarily determine the firewall to which the ServerIron ADX sends the traffic.
When the ServerIron ADX performs load balancing for a packet and selects a firewall for the traffic,
the ServerIron ADX also changes the destination MAC address of the packet to the MAC address of
the firewall selected by the ServerIron ADX. For example, in
Figure 25, if ServerIron ADX A selects
firewall FW2 for a packet, the ServerIron ADX changes the destination MAC address of the packet
to abcd.4321.34e1, the MAC address of firewall FW2’s interface with ServerIron ADX
A. As a result,
even if the WAN access router addresses a packet to the MAC address for firewall FW1, the
ServerIron ADX does not send the packet to firewall FW1 unless the load balancing mechanism
selects that firewall. In either case, the ServerIron ADX changes the destination MAC address of the
packet.
If you want to ensure that all packets for an application go to a specific firewall (as specified in the
default route on the router), you must deny FWLB service for that application. For example, if you
have configured firewall FW1 to collect statistics on HTTP traffic and you therefore want to send all
the HTTP traffic to firewall FW1, you must disable FWLB for HTTP traffic. To disable FWLB for an
application, configure an extended ACL at the firewall group configuration level.
NOTE
When you configure an ACL at the firewall group configuration level, a deny action does not cause
the ServerIron ADX to drop the denied packet. In this type of configuration, a deny action denies
FWLB service for the packet, so that the ServerIron ADX leaves the destination MAC address of the
packet unchanged.
NOTE
This section focuses on using extended ACLs to deny FWLB based on TCP or UDP port. However, you
also can use standard ACLs at the firewall group configuration level to deny FWLB based on IP
address.
Configuration guidelines
Consider the following:
• Configure extended ACLs at the firewall group configuration level to deny FWLB for specific
applications.
• Configure a permit ACL to allow all applications. Once you configure an ACL, the default action
changes from permit to deny. As a result, if you do not configure the permit ACL for all traffic
types, FWLB is denied for all traffic. Make sure the permit ACL for all traffic is the last ACL, after
all the deny ACLs.
• Configure the deny ACLs for each direction of traffic for which you want to deny FWLB. In
Figure 25, configure a deny ACL on ServerIron ADX A to deny FWLB for packets addressed to
destination TCP port 80 (HTTP). To deny FWLB for the return traffic, configure a deny ACL on
ServerIron ADX
B to deny packets from source TCP port 80.
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 8
- Document conventions 9
- Notice to the reader 10
- Related publications 11
- ServerIron FWLB Overview 12
- Firewall environments 14
- Load balancing paths 15
- Firewall selection 17
- Hashing mechanism 17
- Stateful FWLB 18
- Health checks 18
- Path health checks 19
- Application health checks 19
- Firewall health check debug 21
- Basic FWLB topology 22
- HA FWLB topology 23
- Failover 24
- Router paths 24
- Multizone FWLB topology 25
- FWLB configuration limits 26
- Configuring Basic FWLB 28
- IPv4 Firewall-1 37
- IPv4 Firewall-2 37
- External 40
- Internal 40
- Firewall-2 42
- Firewall-1 42
- Configuring HA FWLB 48
- Session limits 49
- Session aging 49
- Task Reference 52
- Configuring the firewall port 53
- Configuring the partner port 54
- Configuring the router port 55
- Configuring the firewalls 55
- Adding the firewalls 55
- Connection rate control 57
- Complete CLI example 62
- HA FWLB with VRRP 73
- Usage notes 78
- Configuring Multizone FWLB 82
- Zone 3Zone 2 84
- Zone1-SI(config)# no span 85
- Failover algorithm 92
- Commands on Zone1-SI-A zone 1 92
- DRAFT: BROCADE CONFIDENTIAL 100
- 53-1002436-01 102
- SI-A SI-A 104
- In this chapter 124
- NAT firewalls 124
- Extra firewall method 129
- Access policy method 130
- Specifying the partner port 134
- Specifying the router ports 134
- Configuring FWLB and SLB 146
- Configuring SLB-to-FWLB 148
- Configuring the real servers 149
- Enabling SLB-to-FWLB 150
- Configuring FWLB-to-SLB 152
- Enabling FWLB-to-SLB 154
- FWLB configuration overview 166
- TCP/UDP port statistics 169
- FWLB path information 172
- Field Description 173
- • 6 – TCP 174
- • 17 – UDP 174
- In this appendix 176
- FWLB selection algorithms 182
- Configuration guidelines 186
- Denying FWLB 187
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(12 pages)
(64 pages)© 2020, manymanuals.com. All rights reserved. | 0.298 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals