Technical data
Firewall Load Balancing Guide
6 - 10 © 2012 Brocade Communications Systems, Inc. May 31, 2012
In this configuration, the default gateway for each ServerIron is the IP address of the firewall interface with that
ServerIron. In this case, the IP address is the address of firewall FW1’s interface with this ServerIron.
ServerIron(config)# hostname Zone1-SI-A
Zone1-SI-A(config)# ip address 209.157.24.13 255.255.255.0
Zone1-SI-A(config)# ip default-gateway 209.157.24.1
The following command disables the Spanning Tree Protocol (STP). You must disable STP on all the devices in
this type of FWLB configuration.
Zone1-SI-A(config)# no span
The following commands enable FWLB. Enter the commands exactly as shown for all FWLB configurations. The
“0” parameter is required and enables the ServerIron to provide FWLB for all packets of the specified type (TCP or
UDP). FWLB is enabled globally. You cannot enable the feature locally, on individual ports.
Zone1-SI-A(config)# ip policy 1 fw tcp 0 global
Zone1-SI-A(config)# ip policy 2 fw udp 0 global
The following command identifies the router port, which is the ServerIron port connected to a router. In the
example in Figure 6.2 on page 6-8, each ServerIron has one router port.
Zone1-SI-A(config)# server router-ports 5
The following commands identify the port for the link to the other ServerIron. If the link is a trunk group, enter the
primary port number. In this example, the link is a trunk group made of ports 9 and 10, but you only need to specify
port 9, the trunk group’s primary port.
The commands also create a trunk group for the ports that connect this ServerIron to its high-availability partner,
then create a separate port-based VLAN containing the ports in the trunk group. Always configure the private link
between the active and standby ServerIron in a separate port-based VLAN. Add the ports as untagged ports.
Using a trunk group for the link between the active and standby ServerIrons is not required, but using a trunk
group adds an additional level of redundancy for enhanced availability. If one of the ports in a trunk group goes
down, the link remains intact as long as the other port remains up. Make sure you configure a server trunk group,
not a switch trunk group. The default trunk group type is switch, so you must specify the server option. Trunk
groups require a software reload to take effect, so after you complete the ServerIron configuration and the save
the configuration to flash memory, you need to reload the software.
Notice that the server fw-port command (which identifies the port connected to the other ServerIron) refers to
only one port, even though the link is actually a multiple-port trunk group. This port number is the primary port of
the trunk group. If you use a trunk group for the private link between the active and standby ServerIrons, refer to
the group by its primary port, in this case port 9.
Zone1-SI-A(config)# server fw-port 9
Zone1-SI-A(config)# trunk server ethernet 9 to 10
Zone1-SI-A(config)# vlan 10 by port
Zone1-SI-A(config-vlan-10)# untagged 9 to 10
Zone1-SI-A(config-vlan-10)# exit
The following commands enable the always-active option on the default VLAN.
The default VLAN contains all the ports you have not placed in other port-based VLANs. In this configuration, the
default VLAN contains all ports except ports 9 and 10, which are used for the private link between the active and
standby ServerIrons.
The always-active option enables the standby ServerIron to forward traffic by sending it through the active
ServerIron. This option is useful in configurations where you need to enable the L2-fwall option (to prevent Layer 2
loops through the standby ServerIron), but you also need to allow traffic to pass through the standby ServerIron
because that ServerIron is the only path for some traffic.
Without the always-active option, the standby ServerIron blocks all traffic. As a result, if the router connected to the
standby ServerIron forwards client traffic addressed to a server in the DMZ, the traffic is blocked by the standby
ServerIron. However, when the always-active option is enabled, the standby ServerIron forwards traffic to its active
partner ServerIron, which then forwards the traffic to its destination.
In some configurations, you do not need the L2-fwall option or the always-active option. However, configurations
that do not use these options compensate with redundant links and sometimes extra Layer 2 switches. For