Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8

Firewall Load Balancing Guide

Figure 5.2 Active-Active FWLB Topology

Notes about the configuration:

• The code was tested on WSM6 and JetCore modules.

• This topology looks similar to the ServerIronI-XL's active-standby topology, but FWLB ServerIrons work in

active-active mode. Firewall paths will be up on the both the ServerIrons and both ServerIrons can do FWLB.

•The always-active command is configured under VLAN 1. This command should not be configured under

synch ports vlan.

• In Chassis releases, stateful algorithm is used for FWLB; therefore, the ServerIron needs to synchronize

sessions with its partner ServerIron to support stateful fail-over in high availability FWLB configurations.

• In the topology presented in this section, IP addresses of firewalls are different on each ServerIron. Use the

other-ip command under firewall configuration level to identify the partner ServerIron’s firewall address.

• This topology assumes that OSPF is running on firewalls, external routers, and internal routers. These

devices exchange OSPF messages (multicast packets) among them. When a ServerIron is in state 3, it will

block multicast packets. In the attached topology, if Ext-SI-B is in state 3, it will block the OSPF multicast

packets sent by the firewalls and Ext-Router-2 to prevent Ext-Router-2 and the firewalls from learning OSPF

routes through each other. Ext-Router-2 learns the OSPF routes of internal networks through Ext-Router-1.

So all the external traffic will be going to Ext-SI-A.

• If the design requires ServerIron (in state 3) not to block multicast packets, the server fw-allow-multicast

must be configured on the ServerIrons. When the command is configured, the external routers can learn the

OSPF routes from the firewalls and traffic can go to both ServerIrons.

External ServerIron Standby A (Ext-SI-A) Configuration

SI-StandbyA(config)# module 1 bi-0-port-wsm2-management-module

SI-B

SI-A

Internal

Router 1

Internal

Router 2

External

Router 1

External

Router 2

SI-DSI-C

Client 1

30.30.1.1/16

Client 2

40.40.1.1/24

Synch

Link

10.10.10.2/24

10.10.10.1/24

10.10.2.120./24 10.10.8.120./24

Trunk eth 2/7 - 2/8

Synch

Link

Trunk eth 2/5 - 2/6

Mgmt IP: 

20.20.1.111

100.100.100.1/24

20.20.1.120/24

20.20.8.120/24

100.100.100.2/24

Mgmt IP:

20.20.8.111

Mgmt IP:

10.10.8.222

Mgmt IP: 

10.10.2.222

Internal

Network

10.10.8.0/24

Network

20.20.8.0/24

Network

10.10.2.0/24

Network

20.20.1.0/24

Network

OSPF Area 1

OSPF Area 0

20.20.1.1 20.20.8.1

10.10.2.1

10.10.8.1

20.20.1.2

20.20.8.2

10.10.2.2

10.10.8.2

20.20.1.3

20.20.8.3

10.10.2.1

10.10.8.1

20.20.1.4

20.20.8.4

10.10.2.4

10.10.8.4