Using Firewall With Vrrp Interfaces - Brocade Communications Systems 5600 vRouter Configuration Manual
Hide thumbs
Also See for 5600 vRouter:
- Configuration manual (187 pages) ,
- Reference manual (124 pages) ,
- Quick start manual (48 pages)
Table of Contents
Advertisement
TABLE 13 Creating the zone policies (continued)
Step
Show the configuration.
At this point, while traffic can flow freely within a zone, no traffic flows between zones. All traffic flowing from one zone to another is
dropped. For example, because the dp0p1p1 and dp0p1p2 interfaces lie in the same zone (private), traffic between these interfaces flows
freely. However, traffic from dp0p1p2 to dp0p1p3 (which lies in the DMZ) is dropped.
The next step, shown in the following example, is to create firewall rule sets to allow traffic between zones. The first rule set allows all
traffic to the public zone. To configure this rule set, perform the following steps in configuration mode.
TABLE 14 Creating the rule set for traffic to the public zone
Step
Create the configuration node for the to_public rule set and give a
description for the rule set.
Create a rule to accept all traffic sent to the public zone.
Commit the configuration.
Show the firewall configuration.
Using firewall with VRRP interfaces
A Virtual Router Redundancy Protocol (VRRP) interface is a logical abstraction that allows the system to implement RFC 3768-
compliant MAC address behavior. VRRP can be configured with or without VRRP interfaces. To achieve the expected results when
filtering traffic, it is important to understand how traffic flows on systems that use VRRP.
∙
If no VRRP interface is designed, traffic flows in and out through a physical interface or virtual interface.
∙
If a VRRP interface is designed, traffic flows in through the VRRP interface and out through the physical interface or virtual
interface.
This traffic flow affects how you design and attach firewall rule sets.
34
Command
vyatta@R1# show security zone-policy
zone dmz {
description "DMZ ZONE"
interface dp0p1p3
}
zone private {
description "PRIVATE ZONE"
interface dp0p1p1
interface dp0p1p2
}
zone public {
description "PUBLIC ZONE"
interface dp0p1p4
}
Command
vyatta@R1# set security firewall name to_public
description "allow all traffic to PUBLIC zone"
vyatta@R1# set security firewall name to_public
rule 1 action accept
vyatta@R1# commit
vyatta@R1# show security firewall name to_public
description "allow all traffic to PUBLIC zone"
rule 1 {
action accept
}
Brocade 5600 vRouter Firewall Configuration Guide
Configuration Examples
53-1004253-01
Advertisement
Table of Contents
