Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8

151

152

153

154

155

156

157

158

159

160

Firewall Load Balancing Guide

Firewalls

A path is configuration information the ServerIron uses to ensure that a given source and destination IP pair is

always authenticated by the same Layer 2 firewall.

Each path consists of the following parameters:

• The path ID – A number that identifies the path. In basic FWLB configurations, the paths go from one

ServerIron to the other through the firewalls. The paths go from one ServerIron to the ServerIrons in the other

active-standby pair other through the firewalls. A path also goes to the router.

• The ServerIron port – The number of the port that connects the ServerIron to the firewall.

• The other ServerIron’s or Layer 2 switch’s IP address – The management address of the ServerIron or

Layer 2 switch on the other side of the firewall. The ServerIron on the private network side and the other

ServerIron or Layer 2 switch are the end points of the data path through the firewall.

• The next hop IP address – Since these are Layer 2 firewalls, the next hop is not an IP interface on the firewall

itself, but is instead the same as the destination IP address of the path.

For each type of firewall (Layer 3 synchronous and asynchronous, with or without NAT, or Layer 2), you must

configure paths between the ServerIrons through the firewalls.

In addition to configuring the paths, you need to create a static MAC entry for each firewall MAC address.

NOTE: FWLB paths must be fully meshed. When you configure a FWLB path on a ServerIron, make sure you

also configure a reciprocal path on the ServerIron attached to the other end of the firewalls.

NOTE: The static MAC entries are required. You must add a static MAC entry for each firewall.

To configure a path and add static MAC entries, use one of the following methods.

USING THE CLI

To configure the paths and static MAC entries for the configuration shown in Figure 10.1 on page 10-2, enter the

following commands. Enter the first group of commands on ServerIron A. Enter the second group of commands on

ServerIron B.

Commands for Active ServerIron A (External Active)

SI-ActiveA(config)# server fw-group 2

SI-ActiveA(config-tc-2)# fwall-info 1 1 1.1.1.30 1.1.1.30

SI-ActiveA(config-tc-2)# fwall-info 2 2 1.1.1.30 1.1.1.30

SI-ActiveA(config-tc-2)# fwall-info 3 1 1.1.1.40 1.1.1.40

SI-ActiveA(config-tc-2)# fwall-info 4 2 1.1.1.40 1.1.1.40

SI-ActiveA(config-tc-2)# fwall-info 5 9 1.1.1.1 1.1.1.1

SI-ActiveA(config-tc-2)# exit

SI-ActiveA(config)# static-mac-address 00e0.5200.3489 ethernet 1 high-priority

router-type

SI-ActiveA(config)# static-mac-address 00e0.5202.e282 ethernet 2 high-priority

router-type

Commands for Standby ServerIron A (External Standby)

SI-StandbyA(config)# server fw-group 2

SI-StandbyA(config-tc-2)# fwall-info 1 1 1.1.1.30 1.1.1.30

SI-StandbyA(config-tc-2)# fwall-info 2 2 1.1.1.30 1.1.1.30

SI-StandbyA(config-tc-2)# fwall-info 3 1 1.1.1.30 1.1.1.40

SI-StandbyA(config-tc-2)# fwall-info 4 2 1.1.1.30 1.1.1.40

SI-StandbyA(config-tc-2)# fwall-info 5 17 1.1.1.1 1.1.1.1

SI-StandbyA(config-tc-2)# exit

SI-StandbyA(config)# static-mac-address 00e0.5200.3489 ethernet 1 high-priority

router-type