Technical data
Firewall Load Balancing Guide
8 - 6 © 2012 Brocade Communications Systems, Inc. May 31, 2012
ServerIronA(config)# server fw-name FW1-IPin 192.168.1.30
ServerIronA(config-rs-FW1-IPin)# exit
ServerIronA(config)# server fw-name FW2-IPin 192.168.1.40
ServerIronA(config-rs-FW2-IPin)# exit
The following commands configure parameters for firewall group 2. The fwall-info commands configure the paths
for the firewall traffic. Each path consists of a path ID, the ServerIron port attached to the firewall, the IP address
of the ServerIron at the other end of the path, and the next-hop IP address (usually the firewall interface connected
to this ServerIron). Make sure you configure reciprocal paths on the other ServerIron, as shown in the section
containing the CLI commands for ServerIron B.
NOTE: Path information is required even if the firewalls are synchronized.
The fw-name <firewall-name> command adds the firewalls to the firewall group.
ServerIronA(config)# server fw-group 2
ServerIronA(config-tc-2)# fw-name FW1-IPin
ServerIronA(config-tc-2)# fw-name FW2-IPin
ServerIronA(config-tc-2)# fwall-info 1 3 192.168.2.200 192.168.1.30
ServerIronA(config-tc-2)# fwall-info 2 5 192.168.2.200 192.168.1.40
ServerIronA(config-tc-2)# exit
The following commands add static MAC entries for the MAC addresses of the firewall interfaces connected to the
ServerIron. Notice that the QoS priority is configured as high-priority and the router-type parameter is specified.
These parameters are required. You must specify high-priority and router-type.
NOTE: To ensure proper operation, always configure the path IDs so that the IDs consistently range from lowest
path ID to highest path ID for the firewalls. For example, in Figure 8.1 on page 8-2, the path IDs should range from
lowest to highest beginning with the firewall interface at the upper left of the figure.
To ensure smooth operation, you might want to depict your firewalls in a vertical hierarchy as in Figure 8.1 on
page 8-2, label the interfaces with their IP addresses, then configure the paths so that the path IDs to the
interfaces range from lowest to highest path ID starting from the uppermost firewall interface.
ServerIronA(config)# static-mac-address abcd.4321.34e0 ethernet 3 high-priority
router-type
ServerIronA(config)# static-mac-address abcd.4321.34e1 ethernet 5 high-priority
router-type
The following commands configure global policies to enable FWLB. Global or local policies are required for
FWLB. The first ip policy command in this example configures the ServerIron to perform FWLB for all TCP traffic.
The value “0” is equivalent to “any” and means the ServerIron should perform FWLB for all TCP traffic. The
second ip policy command enables FWLB for all UDP traffic.
ServerIronA(config)# ip policy 1 fw tcp 0 global
ServerIronA(config)# ip policy 2 fw udp 0 global
ServerIronA(config)# write memory
Commands on ServerIron B (Internal)
Enter the following commands to configure FWLB on ServerIron B. Notice that the fwall-info commands
configure paths that are reciprocal to the paths configured on ServerIron A. Path 1 on each ServerIron goes
through one of the firewalls while path 2 goes through the other firewall.
ServerIronB(config)# server fw-name FW1-IPout 192.168.2.30
ServerIronB(config-rs-FW1-IPout)# exit
ServerIronB(config)# server fw-name FW2-IPout 192.168.2.40
ServerIronB(config-rs-FW2-IPout)# exit
ServerIronB(config)# server fw-group 2
ServerIronB(config-tc-2)# fw-name FW1-IPout
ServerIronB(config-tc-2)# fw-name FW2-IPout
ServerIronB(config-tc-2)# fwall-info 1 1 192.168.1.100 192.168.2.30