Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
11121314151617181920
Firewall Load Balancing Guide
3 - 8 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Figure 3.3 HA FWLB Topology
In this example, clients access the application servers on the private network through one of two routers, each of
which is connected to a ServerIron. The ServerIrons create session entries for new traffic flows, including
assignment of a firewall. The ServerIrons then use the session entries to forward subsequent traffic in the flow to
the same firewall.
Failover
In Active-Active FWLB, if one of the ServerIrons becomes unavailable, the other ServerIron takes over for the
unavailable ServerIron. The ServerIrons use the following parameters to manage failover:
ServerIron priority (Active-Standby only) – You can specify a priority from 0 – 255 on each ServerIron. The
ServerIron with the higher priority is the default active ServerIron. Specifying the priority is required.
NOTE: If you specify 0, the CLI removes the priority. When you save the configuration to the startup-config
file, the sym-priority command is removed. Use this method to remove the priority. You cannot remove the
priority using the no sym-priority command.
NOTE: The priority parameter does not apply to Active-Active configurations.
Path tolerance – Optionally, you also can configure a minimum number of firewall paths and router paths that
must be available.
By default, failover occurs if the health checks between the ServerIrons reveal that the active ServerIron has lost a
path link. In configurations that contain numerous paths, unstable links can cause frequent failovers, which may be
unnecessary and undesirable. To prevent frequent failovers (flapping), you can specify tolerances for the number
of good firewall paths and the number of good router paths.
When you configure tolerances, you specify the minimum number of good path links to routers and to firewalls you
are requiring the ServerIron to have. So long as the ServerIron has the minimum required number of good links,
the ServerIron remains active, even if a link does become unavailable. However, if the number of unavailable links
exceeds the minimum requirement you configure and as a result the ServerIron has less available paths than its
SI-B
SI-A
SI-C
Layer 3
Firewall-1
Layer 3
Firewall-2
External Router
Internal Router
SI-SI-D