Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8

131

132

133

134

135

136

137

138

139

140

Configuring FWLB and SLB

server fw-port command identifies the port number the link is on. If the link is a trunk group, you must specify the

MAC address of the group’s primary port.

SI-Ext-A(config)# trunk switch ethernet 3/5 to 3/6

SI-Ext-A(config)# vlan 10

SI-Ext-A(config-vlan-10)# untagged ethernet 3/5 to 3/6

SI-Ext-A(config-vlan-10)# exit

SI-Ext-A(config)# server fw-port 3/5

The following command configures the data link between this ServerIron and its active-active partner. You must

use the server partner-ports command to specify all the data links with the partner. However, do not use the

command for the synchronization link.

NOTE: The server partner-ports command is required for all IronClad FWLB configurations in software release

08x.

SI-Ext-A(config)# server partner-ports ethernet 3/1

The following commands add the firewall definitions. In this example, port HTTP is specified for each firewall.

Specifying the application ports on the firewalls is optional. The port http no-health-check command under each

firewall disables the Layer 4 health check for the HTTP port. When you add an application port to a firewall

definition, the ServerIron automatically enables the Layer 4 health check for that port. You must disable the Layer

4 health check if the firewall is unable to act as a proxy for the application and respond to the health check. If the

firewall does not respond to the health check, the ServerIron assumes that the port is unavailable and stops

sending traffic for the port to the firewall.

The ServerIron will still use a Layer 3 health check (IP ping) to test connectivity to the firewall.

SI-Ext-A(config)# server fw-name fw1 10.10.1.1

SI-Ext-A(config-rs-fw1)# port http

SI-Ext-A(config-rs-fw1)# port http no-health-check

SI-Ext-A(config-rs-fw1)# exit

SI-Ext-A(config)# server fw-name fw2 10.10.1.2

SI-Ext-A(config-rs-fw2)# port http

SI-Ext-A(config-rs-fw2)# port http no-health-check

SI-Ext-A(config-rs-fw2)# exit

The following commands add the firewall definitions to the firewall port group (always group 2). The firewall group

contains all the ports in VLAN 1 (the default VLAN).

SI-Ext-A(config)# server fw-group 2

SI-Ext-A(config-tc-2)# fw-name fw1

SI-Ext-A(config-tc-2)# fw-name fw2

The following command enables the active-active mode.

SI-Ext-A(config-tc-2)# sym-priority 1

NOTE: Do not use the same number on both ServerIrons. For example, use enter sym-priority 1 on one of the

ServerIrons and sym-priority 255 on the other ServerIron.

The following commands add the paths through the firewalls to the other ServerIron. Each path consists of a path

number, a ServerIron port number, the IP address at the other end of the path, and the next-hop IP address. In

this example, the topology does not contain routers other than the ServerIrons. If your topology does contain

other routers, configure firewall paths for the routers too. For router paths, use the same IP address as the path

destination and the next hop.

NOTE: The path IDs must be in contiguous, ascending numerical order, starting with 1. For example, path

sequence 1, 2, 3 , 4 is valid. Path sequence 4, 3, 2, 1 or 1, 3, 4, 5 is not valid.

SI-Ext-A(config-tc-2)# fwall-info 1 4/1 10.10.2.222 10.10.1.1

SI-Ext-A(config-tc-2)# fwall-info 2 3/1 10.10.2.222 10.10.1.2

SI-Ext-A(config-tc-2)# fwall-info 3 4/1 10.10.2.223 10.10.1.1

SI-Ext-A(config-tc-2)# fwall-info 4 3/1 10.10.2.223 10.10.1.2