Table Of Contents - Brocade Communications Systems 5600 vRouter Configuration Manual

Contents
Preface...........................................................................................................................................................................................................................................................................................7
Document conventions..............................................................................................................................................................................................................................................7
Text formatting conventions..........................................................................................................................................................................................................................7
Command syntax conventions....................................................................................................................................................................................................................7
Notes, cautions, and warnings.....................................................................................................................................................................................................................8
Brocade resources.......................................................................................................................................................................................................................................................8
Contacting Brocade Technical Support........................................................................................................................................................................................................... 8
Brocade customers........................................................................................................................................................................................................................................... 8
Brocade OEM customers..............................................................................................................................................................................................................................9
Document feedback....................................................................................................................................................................................................................................................9
About This Guide.....................................................................................................................................................................................................................................................................11
Firewall Overview.................................................................................................................................................................................................................................................................. 13
Brocade firewall functionality................................................................................................................................................................................................................................13
Firewall and fragmented packets............................................................................................................................................................................................................. 13
Defining firewall instances...................................................................................................................................................................................................................................... 14
Firewall rules.........................................................................................................................................................................................................................................................14
Implicit Action...................................................................................................................................................................................................................................................... 14
Exclusion rules.................................................................................................................................................................................................................................................... 14
Stateful firewall and connection tracking........................................................................................................................................................................................................14
TCP strict tracking.......................................................................................................................................................................................................................................................15
Applying firewall instances to interfaces.........................................................................................................................................................................................................16
Interaction between firewall, NAT, and routing............................................................................................................................................................................................16
Traffic flow through firewall, NAT, and routing.................................................................................................................................................................................. 16
Zone-based firewall.................................................................................................................................................................................................................................................... 17
Control plane policing............................................................................................................................................................................................................................................... 19
Configuration Examples.................................................................................................................................................................................................................................................... 21
Packet-filtering..............................................................................................................................................................................................................................................................21
Filtering on source IP address................................................................................................................................................................................................................. 22
Filtering on source and destination IP addresses.........................................................................................................................................................................22
Filtering on source IP address and destination protocol.......................................................................................................................................................... 23
Defining a network-to-network filter.....................................................................................................................................................................................................24
Filtering on source MAC address.......................................................................................................................................................................................................... 25
Excluding an address.................................................................................................................................................................................................................................... 26
Matching TCP flags........................................................................................................................................................................................................................................ 27
Matching ICMP type names..................................................................................................................................................................................................................... 28
Matching groups.............................................................................................................................................................................................................................................. 28
Stateful behavior........................................................................................................................................................................................................................................................ 29
Configuring stateful behavior per rule set..........................................................................................................................................................................................29
Configuring global state policies............................................................................................................................................................................................................ 30
Zone-based firewall................................................................................................................................................................................................................................................... 31
Filtering traffic between zones...................................................................................................................................................................................................................31
Filtering traffic between the transit zones.......................................................................................................................................................................................... 33
Using firewall with VRRP interfaces................................................................................................................................................................................................................34
Applying a rule set to a VRRP interface............................................................................................................................................................................................. 35
Using VRRP with a zone-based firewall.............................................................................................................................................................................................36
Brocade 5600 vRouter Firewall Configuration Guide
53-1004253-01 3