Support User Manuals

Brocade Communications Systems 12.4.00a Home Theater Server User Manual

Open as PDF

of 226

36 ServerIron ADX Security Guide

53-1002440-03

Traffic segmentation

1

NOTE

VIP protection works for IPv4 VIPs alone and cannot be enabled for IPv6 VIPs.

You can enable this feature globally by entering the following command.

ServerIronADX(config)# server vip-protection

Syntax: [no] server vip-protection

Once enabled, the VIP protection applies to all existing and new VIP configurations.

If you want to enable the feature on individual VIPs, enter the following command.

ServerIronADX(config)# server virtual-name-or-ip v1

ServerIronADX(config-vs-v1)# vip-protection

NOTE

A reload is required for VIP protection to take effect when enabled on a global level using the server

vip-protection command.

Syntax: [no] vip-protection

VIP protection adds CAM entries for each defined virtual port associated with each VIP. An

additional CAM entry is defined for ICMP traffic destined to each VIP. An entry to drop the traffic is

also added in the CAM for each VIP, which makes sure that traffic destined to any destination port

other than the virtual ports is dropped by hardware.

NOTES:

• VIP protection does not support complex protocols such as FTP, TFTP, MMS, RTSP, SIP, that

establish data connections based on the information exchanged on control channel.

• VIP protection cannot be enabled on a VIP that is part of a dynamic NAT address pool.

• VIP protection cannot be used along with features that require binding of virtual default port to

real server default port.

Traffic segmentation

The traffic segmentation feature allows you to create segmentation among multiple L4-7 SLB

domains of a single ServerIron ADX. The purpose of this feature is to ensure that traffic from one

SLB domain to another SLB domain goes through the upstream firewall and does not get switched

locally. This can be accomplished using either of the following methods:

• VLAN bridging

• Using the server use-session-for-vip-mac

These features help meet some of the security requirements for PCI compliance.

VLAN bridging

The VLAN bridging feature allows you to bridge together two VLANs so that packets will be layer-2

switched from one VLAN to the other. When two VLANs are bridged together, all packets received

on one VLAN are translated to the other VLAN and switched.

previous next