Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 179
- Page / 188
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
168 ServerIron ADX Firewall Load Balancing Guide
53-1002436-01
Configuring FWLB for firewalls with active-standby NICs
A
DRAFT: BROCADE CONFIDENTIAL
Syntax: (IPv4) [no] fwall-info <path-num> <portnum> <other-ip> <next-hop-ip>
Syntax: (IPv6) [no] fwall-info <path-num> <portnum> <other-ipv6> <next-hop-ipv6>
NOTE
The other IP address and next-hop IP address parameters must be both IPv4 addresses or both IPv6
addresses. IPv4 and IPv6 addresses cannot be mixed.
NOTE
You must use IPv4 addresses for IPv4 firewalls and IPv6 addresses for IPv6 firewalls. If the same
firewall supports both IPv4 and IPv6, you must configure them separately under group 2 (IPv4) and
group 4 (IPv6).
The <path-num> parameter specifies the path. The sequence of path IDs must be contiguous from
start to finish.
The <portnum> parameter specifies the port that connects the ServerIron to the firewall. If the port
number is dynamic, use port number 65535.
The <other-ip> parameter specifies the IPv4 address of the ServerIron on the other side of the
firewall.
The <next-hop-ip> parameter specifies the IPv4 address of the firewall connected to this
ServerIron.
The <other-ipv6> parameter specifies the IPv6 address of the ServerIron on the other side of the
firewall.
The <next-hop-ipv6> parameter specifies the IPv6 address of the firewall connected to this
ServerIron.
Specify 65535 as the port number for the paths to dual NIC (active-standby) firewall interfaces.
Specify the ServerIron ADX port number for paths to routers.
When the firewalls have active-standby NICs, and dynamic ports are configured on the firewall
paths, by default the ServerIron always uses the same interface to reach a firewall, where firewall's
ARP entry was initially learnt. It does not update the firewall path to an alternate interface unless
the interface physically goes down.
This behavior will cause issues in setups running firewalls with active-standby NIC's, when the NICs
fail over without having the interface go down physically. For example, when a failover of the
Firewall NIC occurs, the ARP entry for the firewall's IP is learnt on a new port but the firewall path
still shows the old interface causing issues with FWLB.
Configure the following command, to prevent this condition:
ServerIronADX(config)# server fw-allow-dynamic-port-change
Syntax: server fw-allow-dynamic-port-change
This command allows the firewall path health checks to be sent to the correct port where the
firewall ARP is learnt and update the firewall path accordingly to reflect the new interface where the
firewall can now be reached.
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 8
- Document conventions 9
- Notice to the reader 10
- Related publications 11
- ServerIron FWLB Overview 12
- Firewall environments 14
- Load balancing paths 15
- Firewall selection 17
- Hashing mechanism 17
- Stateful FWLB 18
- Health checks 18
- Path health checks 19
- Application health checks 19
- Firewall health check debug 21
- Basic FWLB topology 22
- HA FWLB topology 23
- Failover 24
- Router paths 24
- Multizone FWLB topology 25
- FWLB configuration limits 26
- Configuring Basic FWLB 28
- IPv4 Firewall-1 37
- IPv4 Firewall-2 37
- External 40
- Internal 40
- Firewall-2 42
- Firewall-1 42
- Configuring HA FWLB 48
- Session limits 49
- Session aging 49
- Task Reference 52
- Configuring the firewall port 53
- Configuring the partner port 54
- Configuring the router port 55
- Configuring the firewalls 55
- Adding the firewalls 55
- Connection rate control 57
- Complete CLI example 62
- HA FWLB with VRRP 73
- Usage notes 78
- Configuring Multizone FWLB 82
- Zone 3Zone 2 84
- Zone1-SI(config)# no span 85
- Failover algorithm 92
- Commands on Zone1-SI-A zone 1 92
- DRAFT: BROCADE CONFIDENTIAL 100
- 53-1002436-01 102
- SI-A SI-A 104
- In this chapter 124
- NAT firewalls 124
- Extra firewall method 129
- Access policy method 130
- Specifying the partner port 134
- Specifying the router ports 134
- Configuring FWLB and SLB 146
- Configuring SLB-to-FWLB 148
- Configuring the real servers 149
- Enabling SLB-to-FWLB 150
- Configuring FWLB-to-SLB 152
- Enabling FWLB-to-SLB 154
- FWLB configuration overview 166
- TCP/UDP port statistics 169
- FWLB path information 172
- Field Description 173
- • 6 – TCP 174
- • 17 – UDP 174
- In this appendix 176
- FWLB selection algorithms 182
- Configuration guidelines 186
- Denying FWLB 187
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(12 pages)
(64 pages)© 2020, manymanuals.com. All rights reserved. | 0.074 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals