Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
41424344454647484950
Configuring HA FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 5 - 5
NOTE: Active-Active operation is not the same thing as the always-active feature. The always-active feature is
used to simplify the topology of high-availability FWLB configurations, and can be used in an Active-Active
configuration.
Figure 5.1 shows an example of ServerIron Chassis device configured for high-availability FWLB.
Figure 5.1 HA FWLB for Layer 3 Firewalls
In this example, clients access the application servers on the private network through one of two routers, each of
which is connected to a ServerIron. The ServerIrons create session entries for new traffic flows, including
assignment of a firewall. The ServerIrons then use the session entries to forward subsequent traffic in the flow to
the same firewall.
The ServerIrons on the private side of the network are connected to the application servers through routers.
These ServerIrons also create session entries and use those entries for forwarding traffic to the servers and the
server replies back to the clients.
Each pair of ServerIrons is connected by two trunk groups. One of the trunk groups is the synchronization link,
and is used by the ServerIron to exchange session information, so that each ServerIron has a complete list of the
sessions. If one of the ServerIrons becomes unavailable, the other ServerIron can continue FWLB service without
interruption, even for existing sessions.
The other trunk group is an additional data link and allows for a simplified topology by eliminating the need for
separate Layer 2 Switches between the ServerIrons and firewalls.
These links are not required to be trunk groups, but configuring them as trunk groups adds link-level redundancy
to the overall redundant design.
The pairs of routers are configured with Virtual Router Redundancy Protocol (VRRP) to share the default gateway
address used by the ServerIrons attached to the routers.
SI-B
SI-A
Layer 3
Firewall-1
Layer 3
Firewall-2
Internal
Router A
Management
Station
Internal
Router B
External
Router A
External
Router B
SI-B
Server
10.10.2.30
Server
10.10.2.40
Client
10.10.6.22
Client
10.10.6.23
VRRP
VRRP
Synchronization
Link
Additional
Data Link
Synchronization
Link
Additional
Data Link
VRRP Address
10.10.1.101
VRRP Address
10.10.1.101
VRRP Address
10.10.1.101
VRRP Address
10.10.1.101
10.10.2.30
Port 4/12
Port 4/12
Port 4/1
Port 4/1
Port 4/1
Port 4/1
Port 4/12
Port 4/12
Trunk Ports 4/5 - 4/6
Trunk Ports 4/13 - 4/14
Trunk Ports 4/5 - 4/6
Trunk Ports 4/13 - 4/14
ServerIron SI-Ext-A
10.10.1.111
Default Gateway
10.10.1.101
FW1
IP: 10.10.1.1
MAC: 00.50.da.8d.52.18
FW1
IP: 10.10.2.1
MAC: 00.50.da.92.08.dc
FW2
IP: 10.10.1.2
MAC: 00.50.da.92.08.fc
FW2
IP: 10.10.2.2
MAC: 00.50.da.92.08.d0
ServerIron SI-Int-A
10.10.2.222
Default Gateway
10.10.2.101
ServerIron SI-Ext-B
10.10.1.112
Default Gateway
10.10.1.101
ServerIron SI-Int-B
10.10.2.223
Default Gateway
10.10.2.101
Trunk Ports 4/5 - 4/6
Trunk Ports 4/13 - 4/14
Trunk Ports 4/5 - 4/6
Trunk Ports 4/13 - 4/14
SI-A