Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual download pdf (Page 86)

ServerIron ADX Firewall Load Balancing Guide 75

53-1002436-01

Configuration example for basic multizone FWLB

DRAFT: BROCADE CONFIDENTIAL

The following command identifies the router port, which is the ServerIron ADX port connected to a

router. In the example in

Figure 13 on page 73, each ServerIron ADX has one router port. If the

link is a trunk group, enter the primary port number. In this example, the router port is port 5.

Zone1-SI(config)# server router-ports 5

The following commands add the firewalls.

Zone1-SI(config)# server fw-name FW1 209.157.24.1

Zone1-SI(config-rs-FW1)# exit

Zone1-SI(config)# server fw-name FW2 209.157.24.254

Zone1-SI(config-rs-FW2)# exit

The names are specific to the ServerIron ADX and do not need to correspond to any name

parameters on the firewalls themselves. The IP addresses are the addresses of the firewall

interfaces with the ServerIron ADX.

The following command configures an Access Control List (ACL) for the IP addresses in the DMZ

zone (zone 2). The command configures a standard ACL for the addresses in zone 2, which

contains addresses in the 209.157.25.x/24 sub-net. The “0.0.0.255” values indicate the

significant bits in the IP address you specify. In this case, all bits except the ones in the last node of

the address are significant.

In this configuration, only one zone definition is required on each ServerIron ADX, including

Zone1-SI. Because the Zone1-SI ServerIron ADX is already in zone 1, the ServerIron ADX will

forward packets either to the ServerIron ADX in zone 2 or to the only other ServerIron ADX that is

not in zone 2. In this case, the only other ServerIron ADX is the one in zone 3. Thus, if ServerIron

ADX Zone1-SI receives a packet that is not addressed to the sub-net Zone1-SI is in, and is not

addressed to a sub-net in zone 2, the ServerIron ADX assumes that the packet is for an address in

the other zone, zone 3. The ServerIron ADX forwards the packet to the ServerIron ADX in zone 3.

Zone1-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.255

Although each zone in this example contains one Class C sub-net, you can configure ACLs for any

range of addresses and even for individual host addresses.

NOTE

This example shows a numbered ACL instead of a named ACL. You must use numbered ACLs. The

FWLB software does not support zone configuration based on named ACLs.

The following commands configure the firewall group parameters. In this case, the commands

configure the firewall zones, add zone 2, and add the firewalls.

Zone1-SI(config)# server fw-group 2

Zone1-SI(config-fw-2)# fwall-zone Zone2 2 2

Zone1-SI(config-fw-2)# fw-name FW1

Zone1-SI(config-fw-2)# fw-name FW2

Syntax: [no] fwall-zone <zone-name> <zone-number> <acl-number>

The fwall-zone command configures a firewall zone. To configure a zone, specify the following

variables:

The <zone-name> variable specifies an ASCII string that identifies the zone.

The <zone-number> variable specifies the number of the zone being configured. This variable can

be specified as an integer from 1 through 10. Refer to

Table 3 for the maximum number of zones

and paths supported on the ServerIron ADX ADX.

The <acl-number> variable specifies the standard ACL that specifies the IP addresses in the zone.

1 2 ... 81 82 83 84 85 86 87 88 89 90 91 ... 187 188

Comments to this Manuals

No comments

Brocade Communications Systems ServerIron ADX 12.4.00 Service Manual Page 86

Comments to this Manuals

Related products and manuals for Network switches Brocade Communications Systems ServerIron ADX 12.4.00