Technical data
Firewall Load Balancing Guide
10 - 10 © 2012 Brocade Communications Systems, Inc. May 31, 2012
The server fw-port command identifies the port that connects this ServerIron to its partner. If you configure a
trunk group for the link between the two partners, specify the first port (the primary port for the group) in the trunk
group. On the 8-port, 16-port, and 24-port ServerIrons, you can configure a trunk group with two or four members
and the primary ports are the odd-numbered ports.
SI-ActiveA(config)# server router-port 9
The server router-port command identifies the port that connects this ServerIron to the router connected to the
other ServerIron in the active-standby pair.
SI-ActiveA(config)# server fw-name 01fw1 1.1.1.100
SI-ActiveA(config-rs-01fw1)# exit
SI-ActiveA(config)# server fw-name 02fw2 1.1.1.101
SI-ActiveA(config-rs-02fw2)# exit
The server fw-name commands add the firewalls to the ServerIron. In the commands above, “fw1” and “fw2” are
the firewall names. These names are specific to the ServerIron and do not need to correspond to any name
parameters on the firewalls themselves. The IP addresses are the addresses of the firewall interfaces with the
ServerIron.
The following command, l2-fwall, enables the L2-fwall option. This option blocks the Layer 2 traffic on the standby
ServerIrons. If you do not enable this option, Layer 2 traffic can pass through the ServerIrons, causing loops. Layer
3 traffic is automatically blocked on the standby ServerIrons, so you do not need to explicitly block the traffic.
SI-ActiveA(config)# server fw-group 2
SI-ActiveA(config-tc-2)# l2-fwall
The following commands configure the firewall group. The server fw-group 2 command changes the focus of the
CLI to firewall group 2.
The sym-priority command specifies the priority of this ServerIron with respect to the other ServerIron for the
firewalls in the firewall group. The priority can be from 0 – 255. The ServerIron with the higher priority is the default
active ServerIron for the firewalls within the group.
NOTE: If you specify 0, the CLI removes the priority. When you save the configuration to the startup-config file,
the sym-priority command is removed. Use this method to remove the priority. You cannot remove the priority
using the no sym-priority command.
The fw-name <firewall-name> command adds the firewalls to the firewall group.
SI-ActiveA(config-tc-2)# sym-priority 255
SI-ActiveA(config-tc-2)# fw-name 01fw1
SI-ActiveA(config-tc-2)# fw-name 02fw2
The fwall-info commands add the paths between this ServerIron and the other ServerIrons through the firewalls.
The paths enhance performance by ensuring that a given traffic flow (source and destination IP addresses) always
travels through the same firewall. In configurations that use asynchronous firewalls, the paths enhance
performance by eliminating excess authentications. In this configuration, each ServerIron has two paths to each of
the two firewalls. The fifth path goes to the router.
The paths are required, even if the firewalls are synchronized.
The first parameter with each command is a path ID. The second parameter is the port number of the ServerIron
port that connects the ServerIron to the firewall in the path.
The third parameter is the IP address of the ServerIron at the other end of the path or, for paths to routers, the IP
address of the router’s interface with the ServerIron. Note that each ServerIron has a path to each of the
ServerIrons in the other pair, but does not have a path to its own standby pair.
For Layer 2 firewalls, the fourth parameter is also the IP address of the ServerIron at the other end of the path.
Notice that the ServerIron has two paths for each firewall. One of the paths goes to the active ServerIron in the
other pair. The other path goes to the standby ServerIron in the pair. In the case of the path to the router, the third
and forth parameters always have the same value.
SI-ActiveA(config-tc-2)# fwall-info 1 1 1.1.1.30 1.1.1.30
SI-ActiveA(config-tc-2)# fwall-info 2 2 1.1.1.30 1.1.1.30
SI-ActiveA(config-tc-2)# fwall-info 3 1 1.1.1.40 1.1.1.40