Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
167168169170171172173174175176
Firewall Load Balancing Guide
A - 8 © 2012 Brocade Communications Systems, Inc. May 31, 2012
The result is that fwall1 gets 7/24 of the current number of connections, fwall2 gets 8/24, server3 gets 2/24, and so
on. If a new firewall, fwall6, is added with a weight of 10, the new firewall gets 10/34.
If you set the weight so that your fastest firewall gets 50 percent of the connections, it will get 50 percent of the
connections at a given time. Because the firewall is faster than others, it can complete more than 50 percent of the
total connections overall because it services the connections at a higher rate. Thus, the weight is not a fixed ratio
but adjusts to firewall capacity over time.
The default weight for firewalls is 1.
The weight feature is supported only for stateful FWLB. FWLB in software releases 07.2.x and 08.x is always
stateful. FWLB in releases 07.1.x and 07.3.x can be stateful or stateless, depending upon your configuration.
Assigning Weights to Firewalls
To assign weights to firewalls, enter commands such as the following:
ServerIron(config)# server fw-name fw1
ServerIron(config-rs-fw1)# weight 7
ServerIron(config-rs-fw1)# server fw-name fw2
ServerIron(config-rs-fw2)# weight 8
ServerIron(config-rs-fw2)# server fw-name fw3
ServerIron(config-rs-fw3)# weight 2
ServerIron(config-rs-fw3)# server fw-name fw4
ServerIron(config-rs-fw4)# weight 2
ServerIron(config-rs-fw4)# server fw-name fw5
ServerIron(config-rs-fw5)# weight 5
These commands assign weights to five firewalls. The ServerIron will load balance new connections to the
firewalls based on their relative weights.
Syntax: [no] weight <least-connections-weight>
The <least-connections-weight> parameter assigns a weight to the firewall. This weight determines the
percentage of new connections the firewall receives relative to the other firewalls.
NOTE: The weight command has a second parameter, <response-time-weight>. This parameter is valid for real
servers in SLB configurations but is not valid for FWLB.
Denying FWLB for Specific Applications
You can deny FWLB for specific applications while still permitting FWLB for other applications. For example, you
can deny FWLB for HTTP traffic (TCP port 80) while still providing FWLB for other types of traffic.
This feature is useful when your network is configured to send all traffic for a given application to the same firewall.
For example, Figure A.1 shows a network in which the routers are configured to send all HTTP traffic through
firewall FW1.