Technical data

Firewall Load Balancing Guide
5 - 12 © 2012 Brocade Communications Systems, Inc. May 31, 2012
ServerIron(config-tc-2)# fwall-info 5 4/12 10.10.1.101 10.10.1.101
Syntax: [no] fwall-info <path-num> <portnum> <other-ServerIron-ip> <next-hop-ip>
To configure the static MAC address entries for ServerIron SI-Ext-A in Figure 5.1, enter the following commands:
ServerIron(config-tc-2)# vlan 1
ServerIron(config-vlan-1)# static-mac-address 0050.da92.08fc ethernet 4/5 priority 1
router-type
ServerIron(config-vlan-1)# static-mac-address 0050.da8d.5218 ethernet 4/1 priority 1
router-type
Syntax: [no] static-mac-address <mac-addr> ethernet <portnum> [priority <0-7>] [host-type | router-type]
The priority can be 0 – 7 (0 is lowest and 7 is highest) for chassis devices and either normal-priority or high-priority
for stackable devices. Use a priority higher than 0.
Use router-type for the entry type.
If you are using the always-active feature (by entering the always-active command in VLAN 1 for simplified Layer 2
topology), you also must enable the L2-Fwall feature by entering the following command:
ServerIron(config-tc-2)# l2-fwall
Syntax: [no] l2-fwall
Dropping Packets When a Firewall Reaches Its Limit
By default, if the ServerIron receives traffic that it needs to forward to a firewall, but the firewall already has the
maximum number of sessions open or has exceeded its maximum connection rate, the ServerIron uses a hashing
mechanism to select another firewall. The hashing mechanism selects another firewall based on the source and
destination IP addresses and application port numbers in the packet.
If you want the ServerIron to drop the traffic instead of load balancing it using the hashing mechanism, enter a
command such as the following:
ServerIron(config-tc-2)# fw-exceed-max-drop
Syntax: [no] fw-exceed-max-drop
The ServerIron drops traffic only until the firewall again has available sessions.
Restricting TCP Traffic to a Firewall to Established Sessions
By default, the ServerIron sends a properly addressed TCP data packet to a firewall regardless of whether the
ServerIron has received a TCP SYN for the traffic flow. For example, if the ServerIron receives a TCP packet
addressed to TCP port 8080 on IP address 1.1.1.1, the ServerIron forwards the packet to firewall connected to
1,1.1.1 regardless of whether the ServerIron has received a TCP SYN for the session between the packet's
source and 1.1.1.1.
For tighter security, you can configure the ServerIron to forward a TCP data packet only if the ServerIron has
already received a TCP SYN for the packet's traffic flow (source and destination addresses). For example, with the
tighter security enabled, the ServerIron does not forward a TCP data packet to 1.1.1.1 unless the ServerIron has
already received a TCP SYN for the session between the packet's source and 1.1.1.1.
To enable the tighter security, enter the following command at the global CONFIG level of the CLI:
ServerIron(config)# server fw-strict-sec
Syntax: [no] server fw-strict-sec
The feature applies globally to all TCP traffic received for FWLB.
Assigning FWLB Processing to a WSM CPU
By default, the software distributes processing for the forwarding modules in the chassis among the WSM CPUs.
However, in software releases earlier than 07.2.20, all FWLB processing must be performed using the same WSM
CPU.