Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
41424344454647484950
Firewall Load Balancing Guide
5 - 10 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Adding the Firewalls to the Firewall Group
To add the firewalls to the firewall group, enter commands such as the following:
ServerIron(config-rs-FW1)# exit
ServerIron(config)# server fw-group-2
ServerIron(config-tc-2)# fw-name FW1
ServerIron(config-tc-2)# fw-name FW2
Syntax: server fw-group 2
This command changes the CLI to firewall group configuration level. The firewall group number is 2. Only one
firewall group is supported.
Syntax: [no] fw-name <string>
This command adds a configured firewall to the firewall group.
Changing the Load-Balancing Method
By default, the ServerIron load balances firewall traffic flows by selecting the firewall with the lowest number of
total connections. You can configure the ServerIron to load balance based on the lowest number of connections
for the traffic flow’s application.
For example, suppose a configuration has two firewalls (FW1 and FW2), and each firewall has two application
ports defined (HTTP and SMTP). Also assume the following:
FW1 has 10 HTTP connections and 80 SMTP connections.
FW2 has 60 HTTP connections and 10 SMTP connections.
Using the default load balancing method, traffic for a new flow is load balanced to FW2, since this firewall has
fewer total connections. This is true regardless of the application in the traffic. However, using the load balancing
by application method, a new traffic flow carrying HTTP traffic is load balanced to FW1 instead of FW2, because
FW1 has fewer HTTP connections. A new traffic flow for SMTP is load balanced to FW2, since FW2 has fewer
SMTP connections.
To enable load balancing by application, enter the following command at the firewall group configuration level:
ServerIron(config-tc-2)# fw-predictor per-service-least-conn
Syntax: [no] fw-predictor total-least-conn | per-service-least-conn
The total-least-conn parameter load balances traffic based on the total number of connections only. This is the
default.
The per-service-least-conn parameter load balances traffic based on the total number of connections for the
traffic’s application. This is valid for TCP or UDP applications.
Hashing Load Balance Metric in FWLB
NOTE: This feature applies to Releases 09.3.01 and later.
Fire Wall Load Balancing (FWLB) balances firewall traffic flows across multiple firewalls. Older ServerIron XL
systems have always load balanced traffic to firewalls by hashing source IP and destination IP addresses.
Optionally, if the hash-ports command was configured on the device, the hashing would include TCP source
port and TCP destination port if the source or destination port was one of the ports listed with the hash-ports
command. On ServerIron XL, hashing is the default load balancing scheme, and there are no sessions created
when load balancing is performed this way.
Beginning with Release 09.3.01, hashing is a new metric added to ServerIron chassis devices’ support of load
balancing. For this feature, configure the fw-predictor hash command under the fw-group. When this
command is configured, firewall selection is based on hashing of IP addresses (and optionally ports). However,
unlike the ServerIron XL devices, chassis devices create sessions for the flow. The packet will be dropped if
hashing picks a firewall and if either of the following is true: