Technical data
Firewall Load Balancing Guide
5 - 26 © 2012 Brocade Communications Systems, Inc. May 31, 2012
SI-Ext-A(config-rs-fw1)# port http
SI-Ext-A(config-rs-fw1)# port http no-health-check
SI-Ext-A(config-rs-fw1)# exit
SI-Ext-A(config)# server fw-name fw2 10.10.1.2
SI-Ext-A(config-rs-fw2)# port http
SI-Ext-A(config-rs-fw2)# port http no-health-check
SI-Ext-A(config-rs-fw2)# exit
The following commands add the firewall definitions to the firewall port group (always group 2). The firewall group
contains all the ports in VLAN 1 (the default VLAN).
SI-Ext-A(config)# server fw-group 2
SI-Ext-A(config-tc-2)# fw-name fw1
SI-Ext-A(config-tc-2)# fw-name fw2
The following command enables the active-active mode.
SI-Ext-A(config-tc-2)# sym-priority 255
NOTE: Do not use the same number on both ServerIrons. For example, use enter sym-priority 1 on one of the
ServerIrons and sym-priority 255 on the other ServerIron.
The following commands add the paths through the firewalls to the other ServerIron. Each path consists of a path
number, a ServerIron port number, the IP address at the other end of the path, and the next-hop IP address. In this
example, the topology does not contain routers other than the ServerIrons. If your topology does contain other
routers, configure firewall paths for the routers too. For router paths, use the same IP address as the path
destination and the next hop.
NOTE: The path IDs must be in contiguous, ascending numerical order, starting with 1. For example, path
sequence 1, 2, 3 , 4 is valid. Path sequence 4, 3, 2, 1 or 1, 3, 4, 5 is not valid.
SI-Ext-A(config-tc-2)# fwall-info 1 4/1 10.10.2.222 10.10.1.1
SI-Ext-A(config-tc-2)# fwall-info 2 3/1 10.10.2.222 10.10.1.2
SI-Ext-A(config-tc-2)# fwall-info 3 4/1 10.10.2.223 10.10.1.1
SI-Ext-A(config-tc-2)# fwall-info 4 3/1 10.10.2.223 10.10.1.2
The following command sets the load balancing method to balance requests based on the firewall that has the
least number of connections for the requested service. Since the firewall definitions above specify the HTTP
service, the ServerIron will load balance requests based on the firewall that has fewer HTTP session entries in the
ServerIron session table.
SI-Ext-A(config-tc-2)# fw-predictor per-service-least-conn
The following command is part of the always-active feature, which provides the additional data link between the
this ServerIron and its partner.
SI-Ext-A(config-tc-2)# l2-fwall
SI-Ext-A(config-tc-2)# exit
The following commands add static MAC entries for the firewall interfaces with the ServerIron. The static MAC
entries are required only if the configuration uses static routes and a single virtual routing interface, as in this
example, and if the default gateway for the client or server is the firewall. If the configuration uses a dynamic
routing protocol (for example, RIP or OSPF), the static entries are not required. Alternatively, the static entries are
not required if you use the ServerIron itself as the default gateway for the client or the server. For example, the
static entries are not required if you configure the client to use 10.10.1.111 as its default gateway.
SI-Ext-A(config)# vlan 1
SI-Ext-A(config-vlan-1)# static-mac-address 00e0.5201.0426 ethernet 4/1
priority 1 router-type
SI-Ext-A(config-vlan-1)# static-mac-address 00e0.5203.2f80 ethernet 3/1
priority 1 router-type
SI-Ext-A(config-vlan-1)# exit
The following commands assign FWLB processing for all forwarding modules to the same WSM CPU. The device
uses the same CPU to process all FWLB traffic. You must assign all the traffic to the same WSM CPU. The