Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 130
- Page / 188
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
ServerIron ADX Firewall Load Balancing Guide 119
53-1002436-01
Configuration example for FWLB with Layer 3 NAT firewalls
5
DRAFT: BROCADE CONFIDENTIAL
Access policy method
To disable load balancing for the NAT addresses using IP access policies, enter commands such as
the following.
ServerIronADX-A(config)# ip filter 1 deny any 209.157.23.110 255.255.255.255
ServerIronADX-A(config)# ip filter 2 deny any 209.157.23.107 255.255.255.255
ServerIronADX-A(config)# ip filter 1024 permit any any
The first two commands configure policies to deny load balancing for the two NAT addresses. The
third command allows all other traffic to be load balanced.
NOTE
The third policy, which permits all traffic, is required because once you define an access policy, the
default action for packets that do not match a policy is to deny them. Thus, if you configure only the
first two policies and not the third one, you actually disable load balancing altogether by denying the
load balancing for all packets.
Configuration example for FWLB with Layer 3 NAT firewalls
This section shows the CLI commands for implementing the configuration shown in Figure 18. Note
that the configuration steps are similar to those required for the basic configuration shown in
Figure 2 on page 11. The only additional step required is to ensure that the ServerIronADX
connected to the external network does not load balance return traffic to the addresses the
firewalls use for NAT. For example, ServerIron ADX A in
Figure 18 must be configured so that it does
not load balance return traffic to 209.157.23.107/24 or 209.157.23.110/24.
CLI commands on ServerIron ADX A (external)
The following commands configure ServerIronADX-A in Figure 18 for FWLB.
The hostname command changes the host name of the device to match the name used in
Figure 18. The ip address and ip default-gateway commands configure the device’s management
IP address and its default gateway.
The no span command disables the Spanning Tree Protocol (STP) on the ServerIronADX.
ServerIronADX(config)# hostname ServerIronADX-A
ServerIronADX-A(config)# ip address 209.157.23.106 255.255.255.0
ServerIronADX-A(config)# ip default-gateway 209.157.23.108
ServerIronADX-A(config)# no span
The following commands add the firewalls. The IP addresses are the firewalls’ interfaces with the
ServerIron ADX.
ServerIronADX-A(config)# server fw-name fw1 209.157.23.108
ServerIronADX-A(config-rs-fw1)# exit
ServerIronADX-A(config)# server fw-name fw2 209.157.23.109
ServerIronADX-A(config-rs-fw2)# exit
The following commands add firewall entries for the hidden NAT addresses. These entries prevent
the ServerIron ADX from load balancing the firewall traffic to these addresses. The ServerIron ADX
forwards a return packet addressed to one of these firewalls directly to the firewall that sent it,
instead of using the hash mechanism to select a path for the traffic.
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 8
- Document conventions 9
- Notice to the reader 10
- Related publications 11
- ServerIron FWLB Overview 12
- Firewall environments 14
- Load balancing paths 15
- Firewall selection 17
- Hashing mechanism 17
- Stateful FWLB 18
- Health checks 18
- Path health checks 19
- Application health checks 19
- Firewall health check debug 21
- Basic FWLB topology 22
- HA FWLB topology 23
- Failover 24
- Router paths 24
- Multizone FWLB topology 25
- FWLB configuration limits 26
- Configuring Basic FWLB 28
- IPv4 Firewall-1 37
- IPv4 Firewall-2 37
- External 40
- Internal 40
- Firewall-2 42
- Firewall-1 42
- Configuring HA FWLB 48
- Session limits 49
- Session aging 49
- Task Reference 52
- Configuring the firewall port 53
- Configuring the partner port 54
- Configuring the router port 55
- Configuring the firewalls 55
- Adding the firewalls 55
- Connection rate control 57
- Complete CLI example 62
- HA FWLB with VRRP 73
- Usage notes 78
- Configuring Multizone FWLB 82
- Zone 3Zone 2 84
- Zone1-SI(config)# no span 85
- Failover algorithm 92
- Commands on Zone1-SI-A zone 1 92
- DRAFT: BROCADE CONFIDENTIAL 100
- 53-1002436-01 102
- SI-A SI-A 104
- In this chapter 124
- NAT firewalls 124
- Extra firewall method 129
- Access policy method 130
- Specifying the partner port 134
- Specifying the router ports 134
- Configuring FWLB and SLB 146
- Configuring SLB-to-FWLB 148
- Configuring the real servers 149
- Enabling SLB-to-FWLB 150
- Configuring FWLB-to-SLB 152
- Enabling FWLB-to-SLB 154
- FWLB configuration overview 166
- TCP/UDP port statistics 169
- FWLB path information 172
- Field Description 173
- • 6 – TCP 174
- • 17 – UDP 174
- In this appendix 176
- FWLB selection algorithms 182
- Configuration guidelines 186
- Denying FWLB 187
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(12 pages)
(64 pages)© 2020, manymanuals.com. All rights reserved. | 1.021 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals