Technical data
Configuring HA FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 5 - 25
Commands on External ServerIron A (SI-Ext-A)
The following commands change the CLI to the global CONFIG level, then change the hostname to "SI-Ext-A".
ServerIron> enable
ServerIron# configure terminal
ServerIron(config)# hostname SI-Ext-A
The following commands enable the always-active feature and disable the Spanning Tree Protocol (STP) in
VLAN 1, which contains the ports that will carry the FWLB traffic.
SI-Ext-A(config)# vlan 1
SI-Ext-A(config-vlan-1)# always-active
SI-Ext-A(config-vlan-1)# no spanning-tree
The following commands configure a virtual routing interface on VLAN 1 (the default VLAN), then configure an IP
address on the interface. The virtual routing interface is associated with all the ports in the VLAN.
SI-Ext-A(config-vlan-1)# router-interface ve 1
SI-Ext-A(config-vlan-1)# exit
SI-Ext-A(config)# interface ve 1
SI-Ext-A(config-ve-1)# ip address 10.10.1.111 255.255.255.0
SI-Ext-A(config-ve-1)# exit
The following command configures an IP default route. The next hop for this route is the ServerIron’s interface
with firewall FW1.
SI-Ext-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.1.1
The following commands configure port-based VLAN 2, which will contain the port on which VRRP VRID 1
(10.10.6.111) is configured.
SI-Ext-A(config)# vlan 2
SI-Ext-A(config-vlan-2)# untag ethernet 4/12
SI-Ext-A(config-vlan-2)# exit
The following commands configure the dedicated synchronization link between the ServerIron and its active-active
partner. The trunk command configures the two ports of the link into a trunk group. The next two commands add
the trunk group to a separate port-based VLAN, since the synchronization link must be in its own VLAN. The
server fw-port command identifies the port number the link is on. If the link is a trunk group, you must specify the
MAC address of the group’s primary port.
SI-Ext-A(config)# trunk switch ethernet 3/5 to 3/6
SI-Ext-A(config)# vlan 10
SI-Ext-A(config-vlan-10)# untagged ethernet 3/5 to 3/6
SI-Ext-A(config-vlan-10)# exit
SI-Ext-A(config)# server fw-port 3/5
The following command configures the data link between this ServerIron and its active-active partner. You must
use the server partner-ports command to specify all the data links with the partner. However, do not use the
command for the synchronization link.
NOTE: The server partner-ports command is required for all IronClad FWLB configurations in software release
08x.
SI-Ext-A(config)# server partner-ports ethernet 3/1
The following commands add the firewall definitions. In this example, port HTTP is specified for each firewall.
Specifying the application ports on the firewalls is optional. The port http no-health-check command under each
firewall disables the Layer 4 health check for the HTTP port. When you add an application port to a firewall
definition, the ServerIron automatically enables the Layer 4 health check for that port. You must disable the Layer
4 health check if the firewall is unable to act as a proxy for the application and respond to the health check. If the
firewall does not respond to the health check, the ServerIron assumes that the port is unavailable and stops
sending traffic for the port to the firewall.
The ServerIron will still use a Layer 3 health check (IP ping) to test connectivity to the firewall.
SI-Ext-A(config)# server fw-name fw1 10.10.1.1