Brocade_IP_Primer_eBook

Recommendations

Info

Configuring FWLB hash table. If a match exists, it will send the connection to the corresponding firewall. If it does not exist, the ServerIron selects the receiving firewall, and updates the hash table with the new entry. Let's take a look at a more detailed example: MAC: 0001.2345.6701 IP: 123.1.2.1/29 CONSOLE MODEM COMPACT FLASH 1 2 3 4 CONSOLE MODEM COMPACT FLASH 1 2 3 4 TX / RX LINK TX /RX LINK TX /RX LINK TX /RX LINK TX / RX LINK TX /RX LINK TX /RX LINK TX /RX LINK HA Firewall Firewall 10/100 10/100 10/100 10/100 10/100 10/100 10/100 10/100 NetScreen – 204 NetScreen – 204 FW1 FW2 POWER STATUS-1 ALARM HA SESSION FLASH IP: 192.168.1.1/29 MAC: 0001.2345.6702 BI 4XG BI24C T X RX T X RX T X RX T X RX BI 4XG BI24C T X RX T X RX T X RX T X RX BI24C 6 12 18 24 30 36 42 48 BI24C BigIron RX-8 NETWORKS 1 7 13 19 25 31 37 43 BI24C BI24C BI BI24C 4XG T X RX T X RX T X RX T X RX BI BI24C 4XG T X RX T X RX T X RX T X RX AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS AC OK DC OK ALM We've defined FW1 and FW2. We've defined them as members of fw-group 2. Now, we need to define paths. On SI-Outside, we need to define two paths (one through FW1 and one through FW2) to get to SI-Inside. Likewise, on SI-Inside, we need to define two paths (one through FW1 and one through FW2) to get to SI-Outside. Let's configure: SLB-SI-Outside#conf t SLB-SI-Outside(config)#server fw-group 2 SLB-SI-Outside(config-tc-2)#fwall-info 1 3 192.168.1.3 123.1.2.1 SLB-SI-Outside(config-tc-2)#fwall-info 2 7 192.168.1.3 123.1.2.2 The syntax of the “fwall-info” command is: EJECT SYS SI-Outside ServerIron e3 e7 IP: 123.1.2.3/29 e2 IP: 192.168.1.3/29 SI-Inside ServerIron e3 e4 BI 4XG BI24C T X RX T X RX T X RX T X RX BI 4XG BI24C T X RX T X RX T X RX T X RX BI24C 6 12 18 24 30 36 42 48 BI24C BigIron RX-8 NETWORKS 1 7 13 19 25 31 37 43 BI24C BI24C BI BI24C 4XG T X RX T X RX T X RX T X RX BI BI24C 4XG T X RX T X RX T X RX T X RX AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS AC OK DC OK ALM EJECT SYS AC OK DC OK ALM fwall-info The first number is the path number. You will start with one, and move consecutively through (no gaps) the numbers until reaching 32. The next number is the outgoing interface number. In the first path, the interface facing FW1 is e 3. The interface facing FW2 is e 7 (as noted in the second path). The first IP address is the IP address of the opposite ServerIron. Since we're on SI-Outside, we want to reach the IP address of SI-Inside. Finally, we tell it the next hop IP address to get there. In this example, the first path directs SI-Outside through interface e 1 to 123.1.2.1 (FW1). The second path directs SI-Outside through interface e 2 to 123.1.2.2 (FW2). Brocade IP Primer 377 POWER STATUS-1 ALARM SESSION FLASH e5 EJECT SYS MAC: 1234.5678.9A01 IP: 123.1.2.2/29 IP: 192.168.1.2/29 MAC: 1234.5678.9A02
Chapter 17: Firewall Load Balancing (FWLB) Now, let's configure SI-Inside's paths: SLB-SI-Inside#conf t SLB-SI-Inside(config)#server fw-group 2 SLB-SI-Inside(config-tc-2)#fwall-info 1 2 123.1.2.3 192.168.1.1 SLB-SI-Inside(config-tc-2)#fwall-info 2 5 123.1.2.3 192.168.1.2 Configure Static MAC Entries For Each Firewall Server In addition to paths, we need to configure static MAC entries on the ServerIrons for the interfaces on the firewalls. Here's what we would configure on SI-Outside: SLB-SI-Outside#conf t SLB-SI-Outside(config)#static-mac-address 0001.2345.6701 e 3 high-priority router-type SLB-SI-Outside(config)#static-mac-address 1234.5678.9a01 e 7 high-priority router-type Notice that we've tied the MAC address to the interface that is facing it. The first entry is for the outside interface of FW1. It is facing e 3 of SI-Outside. The second entry is for the outside interface of FW2. It is facing e 7 of SI-Outside. We've also added two more keywords. The keyword “high-priority” refers to QoS traffic. Setting this to “high-priority” means that we will use this static MAC entry for all traffic, regardless of the QoS priority (“high-priority” indicates everything from the highest priority queue to the lowest). The “router-type” parameter indicates that we are handing off to a Layer 3 device. The meaning of these two keywords is not as important as remembering that they must always be included. They will always be “high-priority router-type.” FWLB Predictors Just like SLB, FWLB uses predictors to decide which firewall to load balance new connections. Here, the variety is not nearly as large as SLB. You have two choices: • total-least-conn (Total Least Connections). This is the default predictor. Basically, it looks at which firewall is managing the least total connections, and it hands off the incoming connection to it. • per-service-least-conn (Per Service Least Connections). This is similar to total-least-conn, but with this one, it looks for the total number of connections on a specific application. Say, for instance, that a web request was coming in. The ServerIron knows that FW1 is handling 80 HTTP connections, 15 DNS connections, and 5 SMTP connections (100 total). The ServerIron also knows that FW2 is handling 70 HTTP connections, 30 DNS connections, and 20 SMTP connections (120 total). Even though FW2 has more total connections, it has less HTTP connections (70 on FW2 versus 80 on FW1). The incoming HTTP request will be sent to FW2. 378 Brocade IP Primer
Page 1 and 2:
BROCADE IP PRIMER FIRST EDITION Eve
Page 3 and 4:
© 2010 Brocade Communications Syst
Page 5 and 6:
About the Author Jon Fullmer has he
Page 7 and 8:
Contents Chapter 2: TCP/IP ........
Page 9 and 10:
Contents Chapter 7: Link Aggregatio
Page 11 and 12:
Contents Chapter 12: Multi Protocol
Page 13 and 14:
Contents Chapter 16: Session Persis
Page 15 and 16:
Contents xiv Brocade IP Primer
Page 17 and 18:
2 Brocade IP Primer
Page 19 and 20:
Chapter 1: Networking Basics for fa
Page 21 and 22:
Chapter 1: Networking Basics Applic
Page 23 and 24:
Chapter 1: Networking Basics Applic
Page 25 and 26:
Chapter 1: Networking Basics There
Page 27 and 28:
Chapter 1: Networking Basics How’
Page 29 and 30:
Chapter 1: Networking Basics As you
Page 31 and 32:
Chapter 1: Networking Basics MB sou
Page 33 and 34:
Chapter 1: Networking Basics work L
Page 35 and 36:
Chapter 1: Networking Basics Ethern
Page 37 and 38:
Chapter 1: Networking Basics This c
Page 39 and 40:
Chapter 1: Networking Basics T568A
Page 41 and 42:
Chapter 1: Networking Basics The ma
Page 43 and 44:
Chapter 1: Networking Basics Switch
Page 45 and 46:
Chapter 1: Networking Basics Half-d
Page 47 and 48:
Chapter 1: Networking Basics port t
Page 49 and 50:
Chapter 1: Networking Basics — Da
Page 51 and 52:
Chapter 1: Networking Basics Answer
Page 53 and 54:
Chapter 2: TCP/IP Header Length (HL
Page 55 and 56:
Chapter 2: TCP/IP What we're talkin
Page 57 and 58:
Chapter 2: TCP/IP 255.255.255.0. Lo
Page 59 and 60:
Chapter 2: TCP/IP Table 1. Classful
Page 61 and 62:
Chapter 2: TCP/IP the hosts. This g
Page 63 and 64:
Chapter 2: TCP/IP “Why does my PC
Page 65 and 66:
Chapter 2: TCP/IP Hey, I’m10.0.0.
Page 67 and 68:
Chapter 2: TCP/IP CIDR notation can
Page 69 and 70:
Chapter 2: TCP/IP Table 4. Well-Kno
Page 71 and 72:
Chapter 2: TCP/IP Transmission Cont
Page 73 and 74:
Chapter 2: TCP/IP In summary, the 3
Page 75 and 76:
Chapter 2: TCP/IP UDP adds a Transp
Page 77 and 78:
Chapter 2: TCP/IP Now, what if you
Page 79 and 80:
Chapter 2: TCP/IP Port Address Tran
Page 81 and 82:
Chapter 2: TCP/IP pay attention to
Page 83 and 84:
Chapter 2: TCP/IP Wireshark used to
Page 85 and 86:
Chapter 2: TCP/IP • UDP is connec
Page 87 and 88:
Chapter 2: TCP/IP 9. I have an IP a
Page 89 and 90:
Chapter 2: TCP/IP 74 Brocade IP Pri
Page 91 and 92:
Chapter 3: Data Center Bridging (DC
Page 93 and 94:
Page 95 and 96:
Page 97 and 98:
Page 99 and 100:
Page 101 and 102:
Page 103 and 104:
Page 105 and 106:
Chapter 4: TRILL—Adding Multi-Pat
Page 107 and 108:
Page 109 and 110:
Page 111 and 112:
Page 113 and 114:
Chapter 5: Load Balancing Basics Mo
Page 115 and 116:
Chapter 5: Load Balancing Basics HT
Page 117 and 118:
Chapter 5: Load Balancing Basics de
Page 119 and 120:
Chapter 5: Load Balancing Basics A
Page 121 and 122:
Chapter 5: Load Balancing Basics If
Page 123 and 124:
Chapter 5: Load Balancing Basics No
Page 125 and 126:
Chapter 5: Load Balancing Basics se
Page 127 and 128:
Chapter 5: Load Balancing Basics 2.
Page 129 and 130:
Chapter 5: Load Balancing Basics Wh
Page 131 and 132:
Chapter 5: Load Balancing Basics 11
Page 133 and 134:
118 Brocade IP Primer
Page 135 and 136:
Chapter 6: The Brocade CLI availabl
Page 137 and 138:
Chapter 6: The Brocade CLI This nee
Page 139 and 140:
Chapter 6: The Brocade CLI Configur
Page 141 and 142:
Chapter 6: The Brocade CLI This is
Page 143 and 144:
Chapter 6: The Brocade CLI This swi
Page 145 and 146:
Chapter 6: The Brocade CLI boot pro
Page 147 and 148:
Chapter 6: The Brocade CLI • show
Page 149 and 150:
Chapter 6: The Brocade CLI • clea
Page 151 and 152:
Chapter 6: The Brocade CLI You can
Page 153 and 154:
Chapter 6: The Brocade CLI You don'
Page 155 and 156:
Chapter 6: The Brocade CLI Here are
Page 157 and 158:
Chapter 6: The Brocade CLI You acce
Page 159 and 160:
Chapter 6: The Brocade CLI 3. Tempo
Page 161 and 162:
Chapter 6: The Brocade CLI We menti
Page 163 and 164:
Chapter 6: The Brocade CLI nity str
Page 165 and 166:
Chapter 6: The Brocade CLI The Alar
Page 167 and 168:
Chapter 6: The Brocade CLI Restrict
Page 169 and 170:
Chapter 6: The Brocade CLI — Inte
Page 171 and 172:
Chapter 6: The Brocade CLI 7. Which
Page 173 and 174:
Chapter 6: The Brocade CLI 158 Broc
Page 175 and 176:
Chapter 7: Link Aggregation (Trunks
Page 177 and 178:
Page 179 and 180:
Page 181 and 182:
Page 183 and 184:
Page 185 and 186:
Chapter 8: Virtual Local Area Netwo
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
Page 193 and 194:
Page 195 and 196:
Page 197 and 198:
Page 199 and 200:
Page 201 and 202:
Page 203 and 204:
Page 205 and 206:
Page 207 and 208:
Page 209 and 210:
Chapter 9: Spanning Tree Protocol I
Page 211 and 212:
Chapter 9: Spanning Tree Protocol T
Page 213 and 214:
Chapter 9: Spanning Tree Protocol S
Page 215 and 216:
Chapter 9: Spanning Tree Protocol s
Page 217 and 218:
Page 219 and 220:
Page 221 and 222:
Chapter 9: Spanning Tree Protocol C
Page 223 and 224:
Chapter 9: Spanning Tree Protocol W
Page 225 and 226:
Chapter 9: Spanning Tree Protocol S
Page 227 and 228:
Chapter 9: Spanning Tree Protocol W
Page 229 and 230:
Chapter 9: Spanning Tree Protocol
Page 231 and 232:
Chapter 9: Spanning Tree Protocol 9
Page 233 and 234:
Page 235 and 236:
Chapter 10: Routing Basics Let's st
Page 237 and 238:
Chapter 10: Routing Basics In the p
Page 239 and 240:
Chapter 10: Routing Basics It stopp
Page 241 and 242:
Chapter 10: Routing Basics Console
Page 243 and 244:
Chapter 10: Routing Basics Through
Page 245 and 246:
Chapter 10: Routing Basics Administ
Page 247 and 248:
Chapter 10: Routing Basics 15. A ho
Page 249 and 250:
Chapter 10: Routing Basics 10.3.3.0
Page 251 and 252:
Chapter 10: Routing Basics • For
Page 253 and 254:
Chapter 10: Routing Basics 8. What
Page 255 and 256:
Chapter 11: Open Shortest Path Firs
Page 257 and 258:
Page 259 and 260:
Page 261 and 262:
Page 263 and 264:
Page 265 and 266:
Page 267 and 268:
Page 269 and 270:
Page 271 and 272:
Page 273 and 274:
Page 275 and 276:
Page 277 and 278:
Chapter 12: Multi Protocol Label Sw
Page 279 and 280:
Page 281 and 282:
Page 283 and 284:
Page 285 and 286:
Page 287 and 288:
Chapter 13: Border Gateway Protocol
Page 289 and 290:
Page 291 and 292:
Page 293 and 294:
Page 295 and 296:
Page 297 and 298:
Page 299 and 300:
Page 301 and 302:
Page 303 and 304:
Page 305 and 306:
Chapter 14: Security, Redundancy an
Page 307 and 308:
Page 309 and 310:
Page 311 and 312:
Page 313 and 314:
Page 315 and 316:
Page 317 and 318:
Page 319 and 320:
Page 321 and 322:
Page 323 and 324:
Page 325 and 326:
Page 327 and 328:
Page 329 and 330:
Page 331 and 332:
Page 333 and 334:
Page 335 and 336:
Page 337 and 338:
Page 339 and 340:
Page 341 and 342: Chapter 15: Server Load Balancing (
Page 371 and 372: Chapter 16: Session Persistence and
Page 389 and 390: Chapter 17: Firewall Load Balancing
Page 391: Chapter 17: Firewall Load Balancing
Page 403 and 404: Chapter 18: Global Server Load Bala
Page 421 and 422: Glossary Administrative distance Wh
Page 423 and 424: Glossary Broadcast domain This defi
Page 425 and 426: Glossary EGP Exterior Gateway Proto
Page 427 and 428: Glossary Hop This describes a trans
Page 429 and 430: Glossary MAC Media Access Control.
Page 431 and 432: Glossary Ping A common name for ICM
Page 433 and 434: Glossary Source NAT This is a metho
Page 435 and 436: Glossary Totally Stubby Area This i
Page 437 and 438: Glossary Window This describes how
show all

Brocade_IP_Primer_eBook

Create successful ePaper yourself

Delete template?

Save as template?