Technical data
Firewall Load Balancing Guide
5 - 14 © 2012 Brocade Communications Systems, Inc. May 31, 2012
SI-Ext-A(config-vlan-1)# no spanning-tree
SI-Ext-A(config-vlan-1)# exit
The commands above enable the always-active feature and disable the Spanning Tree Protocol (STP) in VLAN 1,
which contains the ports that will carry the FWLB traffic.
SI-Ext-A(config)# vlan 2 name sync_link by port
SI-Ext-A(config-vlan-2)# untagged ethernet 4/13 to 4/14
SI-Ext-A(config-vlan-2)# no spanning-tree
SI-Ext-A(config-vlan-2)# exit
The commands above configure the ports for the synchronization link to the other ServerIron in a separate port-
based VLAN. The separate VLAN is required. Add the ports as untagged ports.
SI-Ext-A(config)# server fw-port 4/13
The server fw-port command identifies the port that connects this ServerIron to its high-availability partner. If you
use a trunk group, specify the first port in the group (the group’s primary port).
SI-Ext-A(config)# server router-port 4/12
The server router-port command identifies the port that connects this ServerIron to its default gateway router.
SI-Ext-A(config)# server fw-name FW1 10.10.1.1
SI-Ext-A(config-rs-FW1)# port http
SI-Ext-A(config-rs-FW1)# exit
SI-Ext-A(config)# server fw-name FW2 10.10.1.2
SI-Ext-A(config-rs-FW2)# port http
SI-Ext-A(config-rs-FW2)# server fw-group 2
SI-Ext-A(config-tc-2)# fw-name FW1
SI-Ext-A(config-tc-2)# fw-name FW2
The commands above configure the firewalls and add them to the firewall group. Since an application port is
configured on each firewall, the ServerIron will use Layer 4 sessions to load balance the firewall traffic for that
application. The ServerIron will use Layer 3 sessions to load balance traffic for other applications.
SI-Ext-A(config-tc-2)# sym-priority 1
The command above enables the active-active mode. The number with the command is required by the CLI but is
not used by FWLB. The CLI requires a number from 1 – 255 because the same command also is used to
configure Symmetric SLB (SSLB), where the number determines the ServerIron’s priority in the configuration.
SI-Ext-A(config-tc-2)# fwall-info 1 4/1 10.10.2.222 10.10.1.1
SI-Ext-A(config-tc-2)# fwall-info 2 4/5 10.10.2.222 10.10.1.2
SI-Ext-A(config-tc-2)# fwall-info 3 4/1 10.10.2.223 10.10.1.1
SI-Ext-A(config-tc-2)# fwall-info 4 4/5 10.10.2.223 10.10.1.2
SI-Ext-A(config-tc-2)# fwall-info 5 4/12 10.10.1.101 10.10.1.101
SI-Ext-A(config-tc-2)# l2-fwall
SI-Ext-A(config-tc-2)# exit
The commands above configure the data paths through the firewalls and to the default gateway router. The l2-
fwall command is part of the always-active feature and is required if you use the always-active command.
SI-Ext-A(config)# vlan 1
SI-Ext-A(config-vlan-1)# static-mac-address 0050.da8d.5218 ethernet 4/1 priority 1
router-type
SI-Ext-A(config-vlan-1)# static-mac-address 0050.da92.08fc ethernet 4/5 priority 1
router-type
SI-Ext-A(config-vlan-1)# exit
The commands above add static entries to the ServerIron’s MAC table for the firewall interfaces. Specify a priority
higher than 0. You can specify a priority up to 7. The router-type parameter is required for FWLB.
SI-Ext-A(config)# wsm wsm-map slot 3 wsm-slot 2 wsm-cpu 1
SI-Ext-A(config)# wsm wsm-map slot 4 wsm-slot 2 wsm-cpu 1
The commands above remap the forwarding modules in slots 3 and 4 to WSM CPU 1 on the Web Switching
Management Module in slot 2.