Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 61
- Page / 188
- Table of contents
- BOOKMARKS
Rated. / 5. Based on customer reviews
50 ServerIron ADX Firewall Load Balancing Guide
53-1002436-01
Configuring HA active-active FWLB
3
DRAFT: BROCADE CONFIDENTIAL
To configure the static MAC address entries for ServerIron ADX SI-Ext-A in Figure 10, enter the
following commands.
ServerIronADX(config-fw-2)# vlan 1
ServerIronADX(config-vlan-1)# static-mac-address 0050.da92.08fc ethernet 4/5
priority 1 router-type
ServerIronADX(config-vlan-1)# static-mac-address 0050.da8d.5218 ethernet 4/1
priority 1 router-type
Syntax: [no] static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type |
router-type]
The priority can be from 0 through 7 (0 is lowest and 7 is highest). Use a priority higher than 0.
Use router-type for the entry type.
If you are using the always-active feature (by entering the always-active command in VLAN 1 for
simplified Layer 2 topology), you also must enable the L2-Fwall feature by entering the following
command.
ServerIronADX(config-fw-2)# l2-fwall
Syntax: [no] l2-fwall
Dropping packets when a firewall reaches its limit
By default, if the ServerIron ADX receives traffic that it needs to forward to a firewall, but the firewall
already has the maximum number of sessions open or has exceeded its maximum connection rate,
the ServerIron ADX uses a hashing mechanism to select another firewall. The hashing mechanism
selects another firewall based on the source and destination IP addresses and application port
numbers in the packet.
If you want the ServerIron ADX to drop the traffic instead of load balancing it using the hashing
mechanism, enter the following command.
ServerIronADX(config-fw-2)# fw-exceed-max-drop
Syntax: [no] fw-exceed-max-drop
The ServerIron ADX drops traffic only until the firewall again has available sessions.
Restricting TCP traffic to a firewall to established sessions
By default, the ServerIron ADX sends a properly addressed TCP data packet to a firewall regardless
of whether the ServerIron ADX has received a TCP SYN for the traffic flow. For example, if the
ServerIron ADX receives a TCP packet addressed to TCP port 8080 on IP address 1.1.1.1, the
ServerIron ADX forwards the packet to the firewall connected to 1.1.1.1 regardless of whether the
ServerIron ADX has received a TCP SYN for the session between the packet's source and 1.1.1.1.
For tighter security, you can configure the ServerIron ADX to forward a TCP data packet only if the
ServerIron ADX has already received a TCP SYN for the packet's traffic flow (source and destination
addresses). For example, with the tighter security enabled, the ServerIron ADX does not forward a
TCP data packet to 1.1.1.1 unless the ServerIron ADX has already received a TCP SYN for the
session between the packet's source and 1.1.1.1.
To enable the tighter security, enter the following command at the global CONFIG level of the CLI.
ServerIronADX(config)# server fw-strict-sec
- ServerIron ADX 1
- Document History 2
- Contents 3
- About This Document 8
- Document conventions 9
- Notice to the reader 10
- Related publications 11
- ServerIron FWLB Overview 12
- Firewall environments 14
- Load balancing paths 15
- Firewall selection 17
- Hashing mechanism 17
- Stateful FWLB 18
- Health checks 18
- Path health checks 19
- Application health checks 19
- Firewall health check debug 21
- Basic FWLB topology 22
- HA FWLB topology 23
- Failover 24
- Router paths 24
- Multizone FWLB topology 25
- FWLB configuration limits 26
- Configuring Basic FWLB 28
- IPv4 Firewall-1 37
- IPv4 Firewall-2 37
- External 40
- Internal 40
- Firewall-2 42
- Firewall-1 42
- Configuring HA FWLB 48
- Session limits 49
- Session aging 49
- Task Reference 52
- Configuring the firewall port 53
- Configuring the partner port 54
- Configuring the router port 55
- Configuring the firewalls 55
- Adding the firewalls 55
- Connection rate control 57
- Complete CLI example 62
- HA FWLB with VRRP 73
- Usage notes 78
- Configuring Multizone FWLB 82
- Zone 3Zone 2 84
- Zone1-SI(config)# no span 85
- Failover algorithm 92
- Commands on Zone1-SI-A zone 1 92
- DRAFT: BROCADE CONFIDENTIAL 100
- 53-1002436-01 102
- SI-A SI-A 104
- In this chapter 124
- NAT firewalls 124
- Extra firewall method 129
- Access policy method 130
- Specifying the partner port 134
- Specifying the router ports 134
- Configuring FWLB and SLB 146
- Configuring SLB-to-FWLB 148
- Configuring the real servers 149
- Enabling SLB-to-FWLB 150
- Configuring FWLB-to-SLB 152
- Enabling FWLB-to-SLB 154
- FWLB configuration overview 166
- TCP/UDP port statistics 169
- FWLB path information 172
- Field Description 173
- • 6 – TCP 174
- • 17 – UDP 174
- In this appendix 176
- FWLB selection algorithms 182
- Configuration guidelines 186
- Denying FWLB 187
Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00
(12 pages)
(64 pages)© 2020, manymanuals.com. All rights reserved. | 1.081 s |
Manymanuals.com
Manymanuals.de
Manymanuals.fr
Manymanuals.it
Manymanuals.pl
Manymanuals.cz
Manymanuals.es
Manymanuals-pt.com
Comments to this Manuals