Traffic segmentation, Vlan bridging – Brocade Communications Systems ServerIron ADX 12.4.00a User Manual

Page 50

Advertising
background image

36

ServerIron ADX Security Guide

53-1002440-03

Traffic segmentation

1

NOTE

VIP protection works for IPv4 VIPs alone and cannot be enabled for IPv6 VIPs.

You can enable this feature globally by entering the following command.

ServerIronADX(config)# server vip-protection

Syntax: [no] server vip-protection

Once enabled, the VIP protection applies to all existing and new VIP configurations.

If you want to enable the feature on individual VIPs, enter the following command.

ServerIronADX(config)# server virtual-name-or-ip v1

ServerIronADX(config-vs-v1)# vip-protection

NOTE

A reload is required for VIP protection to take effect when enabled on a global level using the server
vip-protection command.

Syntax: [no] vip-protection

VIP protection adds CAM entries for each defined virtual port associated with each VIP. An
additional CAM entry is defined for ICMP traffic destined to each VIP. An entry to drop the traffic is
also added in the CAM for each VIP, which makes sure that traffic destined to any destination port
other than the virtual ports is dropped by hardware.

NOTES:

VIP protection does not support complex protocols such as FTP, TFTP, MMS, RTSP, SIP, that
establish data connections based on the information exchanged on control channel.

VIP protection cannot be enabled on a VIP that is part of a dynamic NAT address pool.

VIP protection cannot be used along with features that require binding of virtual default port to
real server default port.

Traffic segmentation

The traffic segmentation feature allows you to create segmentation among multiple L4-7 SLB
domains of a single ServerIron ADX. The purpose of this feature is to ensure that traffic from one
SLB domain to another SLB domain goes through the upstream firewall and does not get switched
locally. This can be accomplished using either of the following methods:

VLAN bridging

Using the server use-session-for-vip-mac

These features help meet some of the security requirements for PCI compliance.

VLAN bridging

The VLAN bridging feature allows you to bridge together two VLANs so that packets will be layer-2
switched from one VLAN to the other. When two VLANs are bridged together, all packets received
on one VLAN are translated to the other VLAN and switched.

Advertising
Popular Brands
Popular manuals