Technical data
Firewall Load Balancing Guide
7 - 16 © 2012 Brocade Communications Systems, Inc. May 31, 2012
To prevent the ServerIron from load balancing the NAT addresses, you can use either of the following methods.
Each method is equally valid and only one of the methods is required. You need to use one of these methods only
on the ServerIron connected to the external network, not the ServerIron on the internal side of the network.
• Configure the NAT addresses as firewall addresses, but do not configure paths for the addresses.
• Configure IP access policies (filters) to deny load balancing for traffic addressed to the NAT addresses.
NOTE: In FWLB configurations, the IP policies do not block traffic altogether. They deny load balancing for
the traffic. Thus, the ServerIron does not load balance packets addressed to the NAT addresses, but instead
sends the traffic only to the firewall that originally sent the traffic.
Commands on Active ServerIron A (External Active)
SI-ActiveA(config)# ip address 192.168.1.10/24
SI-ActiveA(config)# ip default-gateway 192.168.1.2
The commands above add a management IP address and default gateway address to the ServerIron. For the
configuration in this example, the ServerIron needs to be in only one sub-net, so additional IP addresses are not
added. However, the IP address must be in the same sub-net as the ServerIron’s interface to the Layer 3 firewalls.
SI-ActiveA(config)# vlan 10 by port
SI-ActiveA(config-vlan-10)# untagged 5 to 6
SI-ActiveA(config-vlan-10)# exit
The commands above configure the ports for the connection to the standby ServerIron in a separate port-based
VLAN. This is required.
SI-ActiveA(config)# trunk switch ethernet 5 to 6
The trunk command creates a trunk group for the ports that connect this ServerIron to its partner. Using a trunk
group for the link between the active and standby ServerIrons is not required, but using a trunk group adds an
additional level of redundancy for enhanced availability. If one of the ports in a trunk group goes down, the link
remains intact as long as the other port remains up. Since the trunk group is between two ServerIron switches,
make sure you configure a switch trunk group, not a server trunk group.
SI-ActiveA(config)# server router-port 8
The server router-port command identifies the port that connects this ServerIron to the router connected to the
other ServerIron in the active-standby pair.
SI-ActiveA(config)# server fw-port 5
The server fw-port command identifies the port that connects this ServerIron to its partner. If you configure a
trunk group for the link between the two partners, specify the first port (the primary port for the group) in the trunk
group. On the 8-port, 16-port, and 24-port ServerIrons, you can configure a trunk group with two or four members
and the lead ports are the odd-numbered ports.
SI-ActiveA(config)# server fw-name fw1 192.168.1.2
SI-ActiveA(config-rs-fw1)# exit
SI-ActiveA(config)# server fw-name fw2 192.168.1.3
SI-ActiveA(config-rs-fw2)# exit
The server fw-name commands add the firewalls to the ServerIron. In the commands above, “fw1” and “fw2” are
the firewall names. These names are specific to the ServerIron and do not need to correspond to any name
parameters on the firewalls themselves. The IP addresses are the addresses of the firewall interfaces with the
ServerIron.
The following commands add firewall entries for the hidden NAT addresses. These entries prevent the ServerIron
from load balancing the firewall traffic to these addresses. The ServerIron forwards a return packet addressed to
one of these firewalls directly to the firewall that sent it, instead of using the hash mechanism to select a path for
the traffic.
ServerIron-A(config)# server fw-name fw3NAT 192.168.2.10
ServerIron-A(config-rs-fw3NAT)# exit
ServerIron-A(config)# server fw-name fw4NAT 192.168.2.3