Technical data
Configuring FWLB and SLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 8 - 9
ServerIronB(config)# server fw-slb
Syntax: [no] server fw-slb
Configuration Example for FWLB-to-SLB
The following sections show all the ServerIron commands you would enter on each ServerIron to implement the
FWLB-to-SLB configuration shown in Figure 8.2 on page 8-3.
Commands on ServerIron A (External)
The following commands change the ServerIron’s host name to “ServerIronA", configure the ServerIron’s
management IP address, and specify the default gateway.
ServerIron(config)# hostname ServerIronA
ServerIronA(config)# ip address 192.168.1.100 255.255.255.0
ServerIronA(config)# ip default-gateway 192.168.1.1
Enter the following commands to add two firewalls, FW1-IPin and FW2-IPin.
ServerIronA(config)# server fw-name FW1-IPin 192.168.1.30
ServerIronA(config-rs-FW1-IPin)# exit
ServerIronA(config)# server fw-name FW2-IPin 192.168.1.40
ServerIronA(config-rs-FW2-IPin)# exit
The following commands configure parameters for firewall group 2. The fwall-info commands configure the paths
for the firewall traffic. Each path consists of a path ID, the ServerIron port attached to the firewall, the IP address
of the ServerIron at the other end of the path, and the next-hop IP address (usually the firewall interface connected
to this ServerIron). Make sure you configure reciprocal paths on the other ServerIron, as shown in the section
containing the CLI commands for ServerIron B.
NOTE: Path information is required even if the firewalls are synchronized.
The fw-name <firewall-name> command adds the firewalls to the firewall group.
ServerIronA(config)# server fw-group 2
ServerIronA(config-tc-2)# fw-name FW1-IPin
ServerIronA(config-tc-2)# fw-name FW2-IPin
ServerIronA(config-tc-2)# fwall-info 1 3 192.168.2.200 192.168.1.30
ServerIronA(config-tc-2)# fwall-info 2 5 192.168.2.200 192.168.1.40
ServerIronA(config-tc-2)# exit
The following commands add static MAC entries for the MAC addresses of the firewall interfaces connected to the
ServerIron. Notice that the QoS priority is configured as high-priority and the router-type parameter is specified.
These parameters are required. You must specify high-priority and router-type.
NOTE: To ensure proper operation, always configure the path IDs so that the IDs consistently range from lowest
path ID to highest path ID for the firewalls. For example, in Figure 8.2 on page 8-3, the path IDs should range from
lowest to highest beginning with the firewall interface at the upper left of the figure.
To ensure smooth operation, you might want to depict your firewalls in a vertical hierarchy as in Figure 8.2 on
page 8-3, label the interfaces with their IP addresses, then configure the paths so that the path IDs to the
interfaces range from lowest to highest path ID starting from the uppermost firewall interface.
ServerIronA(config)# static-mac-address abcd.4321.34e0 ethernet 3 high-priority
router-type
ServerIronA(config)# static-mac-address abcd.4321.34e1 ethernet 5 high-priority
router-type
The following commands configure global policies to enable FWLB. Global or local policies are required for
FWLB. The first ip policy command in this example configures the ServerIron to perform FWLB for all TCP traffic.