Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
111112113114115116117118119120
Firewall Load Balancing Guide
7 - 12 © 2012 Brocade Communications Systems, Inc. May 31, 2012
This command changes the CLI to firewall group configuration level. The firewall group number is 2. Only one
firewall group is supported.
Syntax: [no] fw-name <string>
Adds a configured firewall to the firewall group.
Configuring Paths and Adding Static MAC Entries for Layer 3
Firewalls
A path is configuration information the ServerIron uses to ensure that a given source and destination IP pair is
always authenticated by the same Layer 3 firewall.
Each path consists of the following parameters:
The path ID – A number that identifies the path. In basic FWLB configurations, the paths go from one
ServerIron to the other through the firewalls. The paths go from one ServerIron to the ServerIrons in the other
active-standby pair other through the firewalls. A path also goes to the router.
The ServerIron port – The number of the port that connects the ServerIron to the firewall.
The other ServerIron’s or Layer 2 switch’s IP address – The management address of the ServerIron or
Layer 2 switch on the other side of the firewall. The ServerIron on the private network side and the other
ServerIron or Layer 2 switch are the end points of the data path through the firewall.
The next-hop IP address – The IP address of the firewall interface connected to this ServerIron.
For each type of firewall (Layer 3 synchronous and asynchronous, with or without NAT), you must configure paths
between the ServerIrons through the firewalls.
In addition to configuring the paths, you need to create a static MAC entry for each firewall interface attached to
the ServerIron.
NOTE: FWLB paths must be fully meshed. When you configure a FWLB path on a ServerIron, make sure you
also configure a reciprocal path on the ServerIron attached to the other end of the firewalls. For example, if you
configure four paths to four separate firewalls, make sure you configure four paths on the other ServerIron.
NOTE: The static MAC entries are required. You must add a static MAC entry for each firewall interface with the
ServerIron.
To configure a path and add static MAC entries, use one of the following methods.
USING THE CLI
To configure the paths and static MAC entries for the configuration shown in Figure 7.2 on page 7-9, enter the
following commands. Enter the first group of commands on ServerIron A. Enter the second group of commands on
ServerIron B.
Commands for Active ServerIron A (External Active)
SI-ActiveA(config)# server fw-group 2
SI-ActiveA(config-tc-2)# fwall-info 1 1 3.3.3.20 192.168.1.2
SI-ActiveA(config-tc-2)# fwall-info 2 2 3.3.3.20 192.168.1.3
SI-ActiveA(config-tc-2)# fwall-info 3 1 4.4.4.20 192.168.1.2
SI-ActiveA(config-tc-2)# fwall-info 4 2 4.4.4.20 192.168.1.3
SI-ActiveA(config-tc-2)# fwall-info 5 8 192.168.1.1 192.168.1.1
SI-ActiveA(config-tc-2)# exit
SI-ActiveA(config)# static-mac-address abcd.4321.2498 ethernet 1 high-priority
router-type
SI-ActiveA(config)# static-mac-address abcd.4321.a53c ethernet 2 high-priority
router-type