Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
41424344454647484950
Configuring HA FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 5 - 11
•The max-conn reached for that firewall
Connection rate is exceeded for the firewall or the firewall port
Connection rate can be specified at the FW level or a FW port level.
To configure the hashing features, enter commands such as the following:
SLB-SI-A(config)# server fw-group 2
SLB-SI-A(config-tc-2)# fw-predictor hash
Syntax: fw-predictor hash
Enabling the Active-Active Mode
To enable the active-active mode, enter a command such as the following at the firewall group configuration level:
ServerIron(config-tc-2)# sym-priority 1
Syntax: [no] sym-priority <num>
The sym-priority command enables the active-active mode. Since this command is also used for Symmetric SLB
(SSLB), the command requires a number from 1 – 255. In SSLB, the number specifies the priority of the
ServerIron and is used to determine the active ServerIron in the configuration. In active-active FWLB, both
ServerIrons are active, so the number you enter does not affect the configuration. The CLI requires that you enter
a number but the number is not used by the active-active FWLB configuration.
Configuring the Paths and Static MAC Address Entries
The paths go from one ServerIron to the other ServerIrons on the other side of each firewall. A path also goes to
the router.
A path consists of the following parameters:
The path ID – A number that identifies the path. The paths go from one ServerIron to the other through the
firewalls. A path also goes to the router. On each ServerIron, the sequence of path IDs must be contiguous
(with no gaps), starting with path ID 1. For example, path sequence 1, 2, 3, 4, 5 is valid. Path sequence 1, 3,
5 or 5, 4, 3, 2, 1 is not valid.
The ServerIron port – The number of the port that connects the ServerIron to the firewall. If your configuration
does not require static MAC entries, you can specify a dynamic port (65535) instead of the physical port
number for firewall paths. Specifying the dynamic port allows the ServerIron to select the physical port for the
path so you don’t need to. You cannot specify the dynamic port for router paths. Router paths require the
physical port number.
The other ServerIron’s IP address – The management address of the ServerIron on the other side of the
firewall.
The next-hop IP address – The IP address of the firewall interface connected to this ServerIron.
NOTE: FWLB paths must be fully meshed. When you configure a FWLB path on a ServerIron, make sure you
also configure a reciprocal path on the ServerIron attached to the other end of the firewalls. For example, if you
configure four paths to four separate firewalls, make sure you configure four paths on the other ServerIron.
NOTE: In addition to configuring the paths, some configurations require a static MAC entry for each firewall
interface attached to the ServerIron. Each configuration example in this guide indicates whether the configuration
requires static MAC entries. The static MAC entries are not required if the routers are using OSPF.
To configure paths for ServerIron SI-Ext-A in Figure 5.1 on page 5-5, enter the following commands:
ServerIron(config-tc-2)# fwall-info 1 4/1 10.10.2.222 10.10.1.1
ServerIron(config-tc-2)# fwall-info 2 4/5 10.10.2.222 10.10.1.2
ServerIron(config-tc-2)# fwall-info 3 4/1 10.10.2.223 10.10.1.1
ServerIron(config-tc-2)# fwall-info 4 4/5 10.10.2.223 10.10.1.2