Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
161162163164165166167168169170
May 31, 2012 © 2012 Brocade Communications Systems, Inc. A - 1
Appendix A
Additional Firewall Configurations
This appendix describes how to configure the following additional firewall configurations:
“Configuring FWLB for Firewalls with Active-Standby NICs” on page A-1
“Customizing Path Health Checks” on page A-4
“FWLB Selection Algorithms” on page A-6
Configuring FWLB for Firewalls with Active-Standby
NICs
Some firewalls provide reliability through link redundancy. For example, some firewalls can have two NICs on each
sub-net. One of the NICs is active. The other NIC is a standby interface and is used only if the active NIC becomes
unavailable. Both NICs have the same IP address. You can use this type of firewall in IronClad configurations that
use the always-active feature.
NOTE: The always-active feature enables you to simplify FWLB configuration by eliminating extra layers of Layer
2 switches. See.
To configure a ServerIron to load balance traffic for firewalls that use dual NICs for link redundancy, specify a
wildcard value (255) instead of a specific ServerIron port number when you configure the paths to the firewall.
When you add a firewall path, the ServerIron sends an ARP request to obtain the MAC address of the next-hop IP
address for the path, which in most configurations is the firewall NIC. If the ServerIron port number for the path is
a wildcard (255), the ServerIron also learns the port for the path, which is the port on which the ServerIron
receives the ARP reply from the NIC.
Figure 10.2 shows an example of an always-active configuration.
This configuration and the commands for implementing it are almost the same as for the configuration in..... The
only differences are as follows:
Each firewall is connected to both ServerIrons on each side of the network. For example, firewall FW1 is
connected to both ServerIron SI-Ext-A and ServerIron SI-Ext-B. Each link has a unique MAC address but they
use the same IP address. Only one of the links is active at a time. The other link is a standby.
The firewall paths on each ServerIron use a wildcard value (255) instead of a specific ServerIron port number.