Technical data
Configuring Multizone FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 6 - 9
• Configure a standard ACL for each zone the ServerIron is not a member of, except zone 1. The ACLs
identify the IP addresses or address ranges in the other zones. If you leave zone 1 undefined, all IP
addresses that are not in this ServerIron’s own sub-net and are not members of zones configured on the
ServerIron, are assumed to be members of zone 1.
If the ServerIron is a member of zone 1, configure a standard ACL for all but one of the other zones. In this
example, configure an ACL for the DMZ zone (zone 3). The ServerIron will forward traffic that is not
addressed to its own sub-net and not addressed to zone 2, to the other zone (zone 3) automatically.
• Configure firewall parameters:
• Define the firewalls and add them to the firewall group. Each firewall consists of a name and the IP
address of its interface with the ServerIron.
• Configure firewall group parameters:
• Configure the zones. Each zone definition consists of a number, an optional name, and the ACL that
specifies the IP addresses in the zone.
• Configure the paths and add static MAC entries for the firewall interfaces with the ServerIron. Configure a
separate path through each firewall to each ServerIron. You also need to configure a path from each
ServerIron to the router(s) attached to the ServerIron.
• Specify the ServerIron priority. The ServerIron with the higher priority value is the ServerIron in the
active-standby pair that is active by default.
• Save the configuration to the startup-config file.
• Reload the software. This step is required to place the trunk groups into effect.
Failover Algorithm
ServerIrons in high-availability multi-zone FWLB configurations use the following criteria for failover:
• Connection to zones – If one ServerIron in an active-standby ServerIron has connectivity to more zones than
the other ServerIron, the ServerIron with connectivity to more zones is the active ServerIron.
• Total number of good paths – If each ServerIron has connectivity to an equal number of zones, the ServerIron
with more good paths, within the configured tolerance, is the active ServerIron. The paths include firewall
paths and router paths. By default, the ServerIrons can tolerate up to half of the firewall paths and half the
router paths being down before failover based on good paths occurs. You can change the path tolerance.
• Priority – If all the above metrics are equal on each ServerIron, the ServerIron with the higher priority is the
active ServerIron.
Configuration Example for IronClad Multi-Zone FWLB
The following sections show all the ServerIron commands you would enter on each ServerIron to implement the
configuration shown in Figure 6.2 on page 6-8.
Most of the configuration tasks for multi-zone FWLB are the same as the tasks for other FWLB configurations.
See the other sections in this chapter for procedures.
Commands on Zone1-SI-A Zone 1
The following commands configure ServerIron “Zone1-SI-A”, on the left side of the zone 1 in Figure 6.2 on page 6-
8.
The following commands change the device name, configure the management IP address, and specify the default
gateway. Notice that the management IP address is in the same sub-net as the firewall interface with the
ServerIron. If the ServerIron and the firewall are in different sub-nets, you need to configure source IP addresses
and enable source NAT.