Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
131132133134135136137138139140
Firewall Load Balancing Guide
8 - 12 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Figure 8.3 Active-Active FWLB with SLB
The CLI commands in this section show how to configure SLB-to-FWLB. In SLB-to-FWLB, the ServerIron on the
Internet side of the firewalls performs FWLB for traffic directed toward real servers connected to the ServerIron on
the private side of the firewalls. The real servers are configured as remote servers. In addition, the SLB-to-FWLB
feature is enabled on the Internet ServerIron. The internal ServerIron is configured for FWLB but requires no
additional configuration.
Commands on External ServerIron A (SI-Ext-A)
The following commands change the CLI to the global CONFIG level, then change the hostname to "SI-Ext-A".
ServerIron> enable
ServerIron# configure terminal
ServerIron(config)# hostname SI-Ext-A
The following command enable the always-active feature and disables the Spanning Tree Protocol (STP) in
VLAN 1, which contains the ports that will carry the FWLB traffic.
SI-Ext-A(config)# vlan 1
SI-Ext-A(config-vlan-1)# always-active
SI-Ext-A(config-vlan-1)# no spanning-tree
The following commands configure a virtual routing interface on VLAN 1 (the default VLAN), then configure an IP
address on the interface. The virtual routing interface is associated with all the ports in the VLAN.
SI-Ext-A(config-vlan-1)# router-interface ve 1
SI-Ext-A(config-vlan-1)# exit
SI-Ext-A(config)# interface ve 1
SI-Ext-A(config-ve-1)# ip address 10.10.1.111 255.255.255.0
SI-Ext-A(config-ve-1)# exit
The following command configures an IP default route. The next hop for this route is the ServerIron’s interface
with firewall FW1.
SI-Ext-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.1.1
The following commands configure the dedicated synchronization link between the ServerIron and its active-active
partner. The trunk command configures the two ports of the link into a trunk group. The next two commands add
the trunk group to a separate port-based VLAN, since the synchronization link must be in its own VLAN. The
SI-B
SI-A
Firewall-1
Firewall-2
Management
Station
SI-B
Synchronization
Link
Additional
Data Link
Synchronization
Link
Additional
Data Link
10.10.2.100
Port 3/1
Port 3/1
Port 4/1
Port 4/1
Port 4/1
Port 4/1
Port 3/2 Port 3/2
T
runk Ports 3/5 - 3/6
T
runk Ports 3/5 - 3/6
IP: 10.10.1.1
MAC: 00e0.5201.0426
IP: 10.10.1.2
MAC: 00e0.5201.2180
IP: 10.10.2.1
MAC: 00e0.5201.042e
IP: 10.10.2.2
MAC: 00e0.5201.2188
T
runk Ports 3/5 - 3/6
Trunk Ports 3/5 - 3/6
SI-A
ServerIron SI-Ext-B
10.10.1.112
ServerIron SI-Ext-A
10.10.1.111
ServerIron SI-Int-A
10.10.2.222
ServerIron SI-Int-B
10.10.2.223
ClientClient
10.10.2.40
10.10.2.4310.10.2.41
10.10.2.42
Application Servers
Application Servers