beautypg.com

Nortel Networks WEB OS 212777 User Manual

Page 350

background image

Web OS 10.0 Application Guide

350

n

Chapter 13: Firewall Load Balancing

212777-A, February 2002

You could add the filters required for the DMZ (to each Web switch) as follows:

1.

On the dirty-side Web switch, create the filter to allow HTTP traffic to reach the DMZ
Web servers.

In this example, the DMZ Web servers use IP addresses 205.178.29.0/24.

2.

Create another filter to deny all other traffic to the DMZ Web servers.

N

OTE

The deny filter has a higher filter number than the allow filter. This is necessary so

that the allow filter has the higher order of precedence.

3.

Add the filters to the traffic ingress ports.

4.

Apply and save the configuration changes.

>> # /cfg/slb/filt 80

(Select filter 80)

>> Filter 80# sip any

(From any source IP address)

>> Filter 80# dip 205.178.29.0

(To the DMZ base destination)

>> Filter 80# dmask 255.255.255.0

(For the range of DMZ addresses)

>> Filter 80# proto tcp

(For TCP protocol traffic)

>> Filter 80# sport any

(From any source port)

>> Filter 80# dport http

(To an HTTP destination port)

>> Filter 80# action allow

(Allow the traffic)

>> Filter 80# ena

(Enable the filter)

>> Filter 80# ../filt 89

(Select filter 89)

>> Filter 89# sip any

(From any source IP address)

>> Filter 89# dip 205.178.29.0

(To the DMZ base destination)

>> Filter 89# dmask 255.255.255.0

(For the range of DMZ addresses)

>> Filter 89# proto any

(For TCP protocol traffic)

>> Filter 89# action deny

(Allow the traffic)

>> Filter 89# ena

(Enable the filter)

>> Filter 89# ../port 1

(Select the ingress port)

>> SLB Port 1# add 80

(Add the allow filter)

>> SLB Port 1# add 89

(Add the deny filter)

>> SLB Port 1# apply

>> SLB Port 1# save