Technical data
Firewall Load Balancing Guide
6 - 4 © 2012 Brocade Communications Systems, Inc. May 31, 2012
• Configure the paths and add static MAC entries for the firewall interfaces with the ServerIron. Configure a
separate path through each firewall to each ServerIron. You also need to configure a path from each
ServerIron to the router(s) attached to the ServerIron.
• Save the configuration to the startup-config file.
Configuration Example for Basic Multi-Zone FWLB
The following sections show all the ServerIron commands you would enter on each ServerIron to implement the
configuration shown in Figure 6.1 on page 6-3.
Most of the configuration tasks for multi-zone FWLB are the same as the tasks for other FWLB configurations.
See the other sections in this chapter for procedures.
Commands on ServerIron Zone1-SI
The following commands configure ServerIron “Zone1-SI” in zone 1 in Figure 6.1 on page 6-3.
The first set of commands changes the device name, configures the management IP address, and specifies the
default gateway. Notice that the management IP address is in the same sub-net as the firewall interface with the
ServerIron. If the ServerIron and the firewall are in different sub-nets, you need to configure source IP addresses
and enable source NAT.
In this configuration, the default gateway is the IP address of the one of the firewall interfaces with the ServerIron.
In this case, the IP address is the address of firewall FW1’s interface with this ServerIron.
ServerIron(config)# hostname Zone1-SI
Zone1-SI(config)# ip address 209.157.24.13 255.255.255.0
Zone1-SI(config)# ip default-gateway 209.157.24.1
The following command disables the Spanning Tree Protocol (STP). You must disable STP on all the devices in
this type of FWLB configuration.
Zone1-SI(config)# no span
The following commands enable FWLB. Enter the commands exactly as shown for all FWLB configurations. The
“0” parameter is required and enables the ServerIron to provide FWLB for all packets of the specified type (TCP or
UDP). FWLB is enabled globally. You cannot enable the feature locally, on individual ports.
Zone1-SI(config)# ip policy 1 fw tcp 0 global
Zone1-SI(config)# ip policy 2 fw udp 0 global
The following command identifies the router port, which is the ServerIron ports connected to a router. In the
example in Figure 6.1 on page 6-3, each ServerIron has one router port. If the link is a trunk group, enter the
primary port number. In this example, the router port is port 5.
Zone1-SI(config)# server router-ports 5
The following commands add the firewalls.
Zone1-SI(config)# server fw-name FW1 209.157.24.1
Zone1-SI(config-rs-FW1)# exit
Zone1-SI(config)# server fw-name FW2 209.157.24.254
Zone1-SI(config-rs-FW2)# exit
The names are specific to the ServerIron and do not need to correspond to any name parameters on the firewalls
themselves. The IP addresses are the addresses of the firewall interfaces with the ServerIron.
The following command configures an Access Control List (ACL) for the IP addresses in the DMZ zone (zone 2).
The command configures a standard ACL for the addresses in zone 2, which contains addresses in the
209.157.25.x/24 sub-net. The “0.0.0.255” values indicate the significant bits in the IP address you specify. In this
case, all bits except the ones in the last node of the address are significant.
In this configuration, only one zone definition is required on each ServerIron, including Zone1-SI. Since the Zone1-
SI ServerIron is already in zone 1, the ServerIron will forward packets either to the ServerIron in zone 2 or to the
only other ServerIron that is not in zone 2. In this case, the only other ServerIron is the one in zone 3. Thus, if