beautypg.com

Configure the routers, Configure the firewalls – Nortel Networks WEB OS 212777 User Manual

Page 330

background image

Web OS 10.0 Application Guide

330

n

Chapter 13: Firewall Load Balancing

212777-A, February 2002

Configure the Routers

The routers must be configured with a static route to the destination services being accessed by
the external clients.

In this example, the external clients intend to connect to services at a publicly advertised IP
address on this network. Since the real servers are load balanced behind a virtual server on the
clean-side Web switch using normal SLB settings, the routers require a static route to the vir-
tual server IP address. The next hop for this static route is the Web switch Virtual Interface
Router (VIR), which is in the same subnet as the routers:

Route Added: 10.10.4.100 (to clean-side virtual server) via 195.1.1.9 (Subnet 1 VIR)

Configure the Firewalls

Before you configure the Web switches, the firewalls must be properly configured. For incom-
ing traffic, each firewall must be configured with a static route to the clean-side virtual server,
using the VIR in its clean-side subnet as the next hop. For outbound traffic, each firewall must
use the VIR in its dirty-side subnet as the default gateway.

In this example, the firewalls are configured with the following IP addresses:

The firewalls must also be configured with rules that determine which types of traffic will be
forwarded through the firewall and which will be dropped. All firewalls participating in FWLB
must be configured with the same set of rules.

N

OTE

It is important to test the behavior of the firewalls prior to adding FWLB.

Table 2 Four-Subnet Firewall IP Address Configuration

Item

Address

Firewall 1

Dirty-side IP interface
Clean-side IP interface
Default Gateway
Route Added

10.10.2.3
10.10.3.3
10.10.2.9 (Subnet 2 VIR)
10.10.4.100 (virtual server) via 10.10.3.9 (Subnet 3 VIR)

Firewall 2

Dirty-side IP interface
Clean-side IP interface
Default Gateway
Route Added

10.10.2.4
10.10.3.4
10.10.2.9 (dirty-side VIR)
10.10.4.100 (virtual server) via 10.10.3.9 (Subnet 3 VIR)