Technical data
ServerIron FWLB Overview
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 3 - 3
Figure 3.1 shows an example of FWLB paths.
Figure 3.1 Example of FWLB Paths
This example above shows the following paths:
• Path 1—ServerIron A through Firewall 1 to ServerIron C
• Path 2—ServerIron A through Firewall 2 to ServerIron C
• Path 3—ServerIron A through Firewall 1 to ServerIron D
• Path 4—ServerIron A through Firewall 2 to ServerIron D
• Path 5—ServerIron A to Internet router.
To ensure proper synchronization of traffic through the firewalls, the paths must be symmetrical. This means that
on each ServerIron, the order of next-hop addresses must match. Thus, if you are configuring IronClad FWLB for
Layer 3 firewalls, you must configure the paths so that the firewall interfaces are listed in the same order. For
example, if the configuration contains four firewalls and you number them 1 – 4 from left to right, the paths on each
ServerIron must be configured so that firewalls’ next-hop addresses match (the interface for firewall 1 is in the first
path, the interface for firewall 2 is in the second path, and so on).
Firewall Selection
Once a ServerIron has selected a firewall for a given traffic flow (source-destination pair of IP addresses), the
ServerIron uses the same firewall for subsequent traffic in the same flow. For example, if the ServerIron selects
firewall FW1 for the first packet the ServerIron receives with source address 1.1.1.1 and destination address
2.2.2.2, the ServerIron uses FW1 for all packets of flows from 1.1.1.1 to 2.2.2.2.
The ServerIron uses one of the following methods to select a firewall for the first packet:
• Select the firewall based on a hash calculation – used for stateless FWLB
• Select the firewall with the fewest open connections – used for stateful FWLB
SI-B
SI-D
SI-A
SI-C
Layer 3
Firewall-1
Layer 3
Firewall-2
Internet Router
Internal Router
Path 1
Path 3
Path 4
Path 2
Path 5