Technical data
Configuring Multizone FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 6 - 5
ServerIron Zone1-SI receives a packet that is not addressed to the sub-net Zone1-SI is in, and is not addressed to
a sub-net in zone 2, the ServerIron assumes that the packet is for an address in the other zone, zone 3. The
ServerIron forwards the packet to the ServerIron in zone 3.
Zone1-SI(config)# access-list 2 permit 209.157.25.0 0.0.0.255
Although each zone in this example contains one Class C sub-net, you can configure ACLs for any range of
addresses and even for individual host addresses.
NOTE: This example shows a numbered ACL, instead of a named ACL. In the current ServerIron software
release, you must use numbered ACLs. The FWLB software does not support zone configuration based on named
ACLs.
The following commands configure the firewall group parameters. In this case, the commands configure the
firewall zones, add zone 2, and add the firewalls.
Zone1-SI(config)# server fw-group 2
Zone1-SI(config-tc-2)# fwall-zone Zone2 2 2
Zone1-SI(config-tc-2)# fw-name FW1
Zone1-SI(config-tc-2)# fw-name FW2
The fwall-zone command configures a firewall zone. To configure a zone, specify a name for the zone, then a
zone number (from 1 – 10), followed by the number of the standard ACL that specifies the IP addresses in the
zone. In this example, the ACL number and zone number are the same, but this is not required.
The fw-name commands add the firewalls. Specify the names you entered when configuring the firewalls. In this
example, the names are “FW1” and “FW2”.
The following commands configure the firewall paths. In the configuration in Figure 6.1 on page 6-3, each
ServerIron has five paths:
• A path through FW1 to ServerIron Zone2
• A path through FW2 to ServerIron Zone2
• A path through FW1 to ServerIron Zone3
• A path through FW2 to ServerIron Zone3
• A path to the router
The ServerIron uses the firewall paths to load balance the firewall traffic across the two firewalls. As in other types
of FWLB configurations, the paths must be fully meshed among the ServerIrons and firewalls. Thus, the
ServerIron has a separate path through each of the firewalls to each of the ServerIrons in the other zones.
The ServerIron also uses the paths for checking the health of the links. The health checking enables the
ServerIron to compensate if the link to a firewall becomes unavailable by sending traffic that normally goes
through the unavailable firewall through the firewall that is still available.
Zone1-SI(config-tc-2)# fwall-info 1 1 209.157.25.15 209.157.24.1
Zone1-SI(config-tc-2)# fwall-info 2 1 209.157.23.11 209.157.24.1
Zone1-SI(config-tc-2)# fwall-info 3 16 209.157.25.15 209.157.24.254
Zone1-SI(config-tc-2)# fwall-info 4 16 209.157.23.11 209.157.24.254
Zone1-SI(config-tc-2)# fwall-info 5 5 209.157.24.250 209.157.24.250
Zone1-SI(config-tc-2)# exit
Each fwall-info command consists of a path number, a ServerIron port number, the IP address at the other end of
the path, and the next-hop IP address. The paths that pass through FW1 use ServerIron port 1, which is
connected to FW1. The paths that pass through FW2 use ServerIron port 16.
Notice that the last path, unlike the other paths, has the same IP address for the destination and the next-hop for
the path. This path is a router path and ends at the router itself. The other paths are firewall paths and end at the
ServerIron at the other end of the firewall.
The following commands add static entries to the ServerIron’s MAC table for the firewall interfaces.
Zone1-SI(config)# static-mac-address abcd.5200.348d ethernet 1 high-priority router-
type