Technical data
Configuring Multizone FWLB
May 31, 2012 © 2012 Brocade Communications Systems, Inc. 6 - 11
example, if each ServerIron in Figure 6.2 on page 6-8 had links to both routers in its zone and also to both
firewalls, and if Layer 2 switches were added to the configuration to allow STP to prevent Layer 2 loops, then it is
possible that neither the l2-fwall nor the always-active option would be required.
In the configuration in Figure 6.2 on page 6-8, each router and firewall is connected to only one of the two
ServerIrons in an active-standby pair. Neither the routers nor the firewalls have direct links (or links through Layer
2 switches) to both the active and standby ServerIrons in their zones.
Using the L2-fwall and always-active options allows you to simplify the network topology while still obtaining the
benefits of the IronClad (high-availability) configuration. Use the following commands to enable the always-active
option in the default VLAN (VLAN 1). You enable the L2-fwall option when you configure firewall group parameters
(see below).
Zone1-SI-A(config)# vlan 1
Zone1-SI-A(config-vlan-1)# always-active
Zone1-SI-A(config-vlan-1)# exit
The following commands add the firewalls.
Zone1-SI-A(config)# server fw-name FW1 209.157.24.1
Zone1-SI-A(config-rs-FW1)# exit
Zone1-SI-A(config)# server fw-name FW2 209.157.24.254
Zone1-SI-A(config-rs-FW2)# exit
The names are specific to the ServerIron and do not need to correspond to any name parameters on the firewalls
themselves. The IP addresses are the addresses of the firewall interfaces with the ServerIron.
The following command configures an Access Control List (ACL) for the IP addresses in one of the zones this
ServerIron is not in. In this configuration, only one zone definition is required on each ServerIron, including Zone1-
SI-A and Zone1-SI-S. Since the active Zone 1 ServerIron is already in zone 1, the ServerIron will forward packets
either to the active ServerIron in zone 2 or to the only other active ServerIron that is not in zone 2. In this case, that
other active ServerIron is in zone 3. Thus, if ServerIron Zone1-SI-A receives a packet that is not addressed to the
sub-net Zone1-SI-A is in, and is not addressed to a sub-net in zone 2, the ServerIron assumes that the packet is
for an address in the other zone, zone 3. The ServerIron forwards the packet to the ServerIron in zone 3.
The command configures an ACL for the addresses in zone 2, which contains addresses in the 209.157.25.x/24
sub-net. The “0.0.0.255” values indicate the significant bits in the IP address you specify. In this case, all bits
except the ones in the last node of the address are significant.
Zone1-SI-A(config)# access-list 2 permit 209.157.25.0 0.0.0.255
Although each zone in this example contains one Class C sub-net, you can configure ACLs for any range of
addresses and even for individual host addresses.
NOTE: This example shows a numbered ACL, instead of a named ACL. In the current ServerIron software
release, you must use numbered ACLs. The FWLB software does not support zone configuration based on named
ACLs.
The following commands configure the firewall group parameters. In this case, the commands configure the
firewall zones, add the firewalls, enable the L2-fwall option, and set the active-standby priority.
Zone1-SI-A(config)# server fw-group 2
Zone1-SI-A(config-tc-2)# fwall-zone Zone2 2 2
Zone1-SI-A(config-tc-2)# fw-name FW1
Zone1-SI-A(config-tc-2)# fw-name FW2
Zone1-SI-A(config-tc-2)# l2-fwall
Zone1-SI-A(config-tc-2)# sym-priority 255
The fwall-zone command configures a firewall zone. To configure a zone, specify a name for the zone, then a
zone number (from 1 – 10), followed by the number of the standard ACL that specifies the IP addresses in the
zone. In this example, the ACL numbers and zone numbers are the same, but this is not required.
The fw-name commands add the firewalls. Specify the names you entered when configuring the firewalls. In this
example, the names are “FW1” and “FW2”.