Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
161162163164165166167168169170
Firewall Load Balancing Guide
A - 2 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Figure 10.2 FWLB Configuration Using Always-Active with Active-Standby Firewall Interfaces
In this example, the links on each firewall are marked to indicate whether they are in the active (ACT) or standby
(STY) state. The ServerIron sends traffic to the active firewall interface but not to the standby interface. For
example, ServerIron SI-Ext-A sends traffic to firewall FW1 through port 3 because the firewall’s link with the
ServerIron is on port 3. However, if the link becomes unavailable and the firewall fails over to the other link,
ServerIron SI-Ext-A can no longer reach the firewall through port 3. ServerIron SI-Ext-A must use the additional
data link configured on ports 5 and 6 (a trunk group in this configuration) to reach the firewall, by sending the traffic
through ServerIron SI-Ext-B. (The always-active feature enables the ServerIrons in the active-standby pair to use
each other as data paths in instances such as this.)
The ServerIron has only one path to each firewall, but the path uses a wildcard for the ServerIron port number.
The ServerIron determines the port to use for reaching the firewall by sending an ARP request for the firewall
interface. When the active link on the firewall responds with its MAC address, the ServerIron learns the port on
which the response is received and uses that port to reach the firewall.
FW2
NetIron-S
Static route:
0.0.0.0 0.0.0.0 121.212.247.242
VRRP Backup
VRID: 121.212.247.241
Link
Activi ty
Lin k
Activit y
Power
Con so le
Link
Activi ty
Lin k
Activit y
Power
Con so l e
BigIron-S
BigIron-A
Additional
data link
Link
Activi ty
Lin k
Activit y
Power
Con so l e
Link
Activi ty
Lin k
Activit y
Power
Con so le
Synchronization link
Additional
data link
Link
Activi ty
Lin k
Activit y
Power
Con so l e
Link
Activi ty
Lin k
Activit y
Power
Con so l e
BigIron
BigIron
NetIron-A
Static route:
0.0.0.0 0.0.0.0 121.212.247.242
VRRP Master
VRID: 121.212.247.241
FW-2-External
121.212.247.227
Port 1
121.212.247.241 121.212.247.246
ServerIron SI-Int-S
121.212.247.245
Default gateway:
.247.241121.212
Port 1 Port 1
Port 1
ServerIron SI-Int-A
121.212
121.212
.247.244
Default gateway:
.247.241
FW-2-Internal
121.212.247.243
ACT
121.212.247.230
FW-1-Internal
121.212.247.242
Port 3
ServerIron SI-Ext-S
121.212.247.229
Default gateway:
121.212.247.230
Port 1
ServerIron SI-Ext-A
121.212.247.228
Default gateway:
121.212.247.225
Port 1
Port 1
Port 1
Port 2 Port 3
Port 3
FW-1-External
121.212.247.226
121.212.247.225
Synchronization link
FW1
STY
ACT
ACT
ACT
STY
STY
STY
Port 3
Port 2
Port 2
Port 2
Trunk ports 5 and 6
Trunk ports 5 and 6
Trunk ports 5 and 6
Trunk ports 5 and 6