Technical data
Firewall Load Balancing Guide
6 - 12 © 2012 Brocade Communications Systems, Inc. May 31, 2012
The l2-fwall command enables the L2-fwall option. This option blocks the Layer 2 traffic on the standby
ServerIrons. If you do not enable this mode, Layer 2 traffic can pass through the ServerIrons, causing loops. Layer
3 traffic is automatically blocked on the standby ServerIrons, so you do not need to explicitly block the traffic. The
always-active option (enabled in the default VLAN in commands described earlier) allows the standby ServerIron
to still forward traffic by sending the traffic to the active ServerIron over the private link between the ServerIrons.
The sym-priority command specifies the priority of this ServerIron with respect to the other ServerIron for the
firewalls in the firewall group. The priority can be from 0 – 255. The ServerIron with the higher priority is the default
active ServerIron for the firewalls within the group.
NOTE: If you specify 0, the CLI removes the priority. When you save the configuration to the startup-config file,
the sym-priority command is removed. Use this method to remove the priority. You cannot remove the priority
using the no sym-priority command.
The following commands configure the firewall paths. In the configuration in Figure 6.2 on page 6-8, each
ServerIron has nine paths:
• A path through FW1 to ServerIron Zone3-SI-A, the active ServerIron in zone 3.
• A path through FW2 to ServerIron Zone3-SI-A. (This path passes through the standby ServerIron, then
through FW2.)
• A path through FW1 to ServerIron Zone3-SI-S, the standby ServerIron in zone 3.
• A path through FW2 to ServerIron Zone3-SI-S. (This path passes through the standby ServerIron.)
• A path through FW1 to ServerIron Zone2-SI-A.
• A path through FW2 to ServerIron Zone2-SI-A.
• A path through FW1 to ServerIron Zone2-SI-S.
• A path through FW2 to ServerIron Zone2-SI-S.
• A path to the router.
The ServerIron uses the firewall paths to load balance the firewall traffic across the two firewalls. As in other types
of FWLB configurations, the paths must be fully meshed among the ServerIrons and firewalls. Thus, the
ServerIron has a separate path through each of the firewalls to each of the ServerIrons in the other zones.
The ServerIron also uses the paths for checking the health of the links. The health checking enables the
ServerIron to compensate if the link to a firewall becomes unavailable by sending traffic that normally goes
through the unavailable firewall through the firewall that is still available. The results of the path health checks also
play a role in the failover mechanism. The ServerIron determines how many zones it can access and how many
firewall and router paths are good based on health checks of the paths. If a path fails a health check, this can
result in a failover to the other ServerIron. (See “Failover Algorithm” on page 6-9.)
Zone1-SI-A(config-tc-2)# fwall-info 1 1 209.157.23.11 209.157.24.1
Zone1-SI-A(config-tc-2)# fwall-info 2 1 209.157.23.12 209.157.24.1
Zone1-SI-A(config-tc-2)# fwall-info 3 16 209.157.23.11 209.157.24.254
Zone1-SI-A(config-tc-2)# fwall-info 4 16 209.157.23.12 209.157.24.254
Zone1-SI-A(config-tc-2)# fwall-info 5 1 209.157.25.15 209.157.24.1
Zone1-SI-A(config-tc-2)# fwall-info 6 1 209.157.25.16 209.157.24.1
Zone1-SI-A(config-tc-2)# fwall-info 7 16 209.157.25.15 209.157.24.254
Zone1-SI-A(config-tc-2)# fwall-info 8 16 209.157.25.16 209.157.24.254
Zone1-SI-A(config-tc-2)# fwall-info 9 5 209.157.24.250 209.157.24.250
Zone1-SI-A(config-tc-2)# exit
Each fwall-info command consists of a path number, a ServerIron port number, the IP address at the other end of
the path, and the next-hop IP address. The paths that pass through FW1 use ServerIron port 1, which is
connected to FW1. The paths that pass through FW2 (by way of the standby ServerIron, Zone1-SI-S) use
ServerIron port 16, which is connected to Zone1-SI-S. Note that the connection on port 16 is different from the
private link between the two ServerIrons on ports 9 and 10. The connection on port 16 is in the same VLAN as the
links to the routers and firewalls (the default VLAN, VLAN 1). The private link on ports 9 and 10 is in a separate