Technical data
Additional Firewall Configurations
May 31, 2012 © 2012 Brocade Communications Systems, Inc. A - 3
If the firewall link goes down and the NIC fails over to the other connection, the ServerIron learns the new port for
the MAC address. Generally, this occurs when the NIC sends a gratuitous ARP to advertise the new MAC
address. The ServerIron learns that the link has failed when the firewall path health check fails. The path health
check consists of an IP ping to the next-hop IP address of the path.
Configuring for Active-Standby Firewall Links
To configure firewall paths for firewalls with active-standby NICs, enter commands such as the following. Notice
that the first four paths configured for each ServerIron specify 255 as the ServerIron port number (the second
parameter in the command). The last path is the path to the router and does use a specific ServerIron port instead
of the wildcard (255).
Commands for Active External ServerIron (SI-Ext-A)
SI-Ext-A(config)# server fw-group 2
SI-Ext-A(config-tc-2)# fwall-info 1 255 121.212.247.244 121.212.247.226
SI-Ext-A(config-tc-2)# fwall-info 2 255 121.212.247.245 121.212.247.226
SI-Ext-A(config-tc-2)# fwall-info 3 255 121.212.247.244 121.212.247.227
SI-Ext-A(config-tc-2)# fwall-info 4 255 121.212.247.245 121.212.247.227
SI-Ext-A(config-tc-2)# fwall-info 5 1 121.212.247.225 121.212.247.225
Commands for Standby External ServerIron (SI-Ext-S)
SI-Ext-S(config)# server fw-group 2
SI-Ext-S(config-tc-2)# fwall-info 1 255 121.212.247.244 121.212.247.226
SI-Ext-S(config-tc-2)# fwall-info 2 255 121.212.247.245 121.212.247.226
SI-Ext-S(config-tc-2)# fwall-info 3 255 121.212.247.244 121.212.247.227
SI-Ext-S(config-tc-2)# fwall-info 4 255 121.212.247.245 121.212.247.227
SI-Ext-S(config-tc-2)# fwall-info 5 1 121.212.247.230 121.212.247.230
Commands for Active Internal ServerIron (SI-Int-A)
SI-Int-A(config)# server fw-group 2
SI-Int-A(config-tc-2)# fwall-info 1 255 121.212.247.228 121.212.247.242
SI-Int-A(config-tc-2)# fwall-info 2 255 121.212.247.229 121.212.247.242
SI-Int-A(config-tc-2)# fwall-info 3 255 121.212.247.228 121.212.247.243
SI-Int-A(config-tc-2)# fwall-info 4 255 121.212.247.229 121.212.247.243
SI-Int-A(config-tc-2)# fwall-info 5 1 121.212.247.241 121.212.247.241
Commands for Standby Internal ServerIron (SI-Int-S)
SI-Int-S(config)# server fw-group 2
SI-Int-S(config-tc-2)# fwall-info 1 255 121.212.247.228 121.212.247.242
SI-Int-S(config-tc-2)# fwall-info 2 255 121.212.247.229 121.212.247.242
SI-Int-S(config-tc-2)# fwall-info 3 255 121.212.247.228 121.212.247.243
SI-Int-S(config-tc-2)# fwall-info 4 255 121.212.247.229 121.212.247.243
SI-Int-S(config-tc-2)# fwall-info 5 1 121.212.247.246 121.212.247.246
Syntax: [no] fwall-info <path-num> <portnum> <other-ServerIron-ip> <next-hop-ip>
Specify 255 as the port number for the paths to dual NIC (active-standby) firewall interfaces. Specify the
ServerIron port number for paths to routers.
When the firewalls have active-standby NICs, and dynamic ports are configured on the firewall paths, by default
the ServerIron always uses the same interface to reach a firewall, where firewall's ARP entry was initially learnt. It
does not update the firewall path to an alternate interface unless the interface physically goes down.
This behavior will cause issues in setups running Firewalls with active-standby NIC's, when the NICs fail over
without having the interface go down physically. For example, when a failover of the Firewall NIC occurs, the ARP
entry for the firewall's IP is learnt on a new port but the firewall path still shows the old interface causing issues
with FWLB.