Technical data
Firewall Load Balancing Guide
6 - 14 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Zone1-SI-S(config)# server fw-port 9
Zone1-SI-S(config)# trunk switch ethernet 9 to 10
Zone1-SI-S(config)# vlan 10 by port
Zone1-SI-S(config-vlan-10)# untagged 9 to 10
Zone1-SI-S(config-vlan-10)# exit
Zone1-SI-S(config)# vlan 1
Zone1-SI-S(config-vlan-1)# always-active
Zone1-SI-S(config-vlan-1)# exit
Zone1-SI-S(config)# server fw-name FW1 209.157.24.1
Zone1-SI-S(config-rs-FW1)# exit
Zone1-SI-S(config)# server fw-name FW2 209.157.24.254
Zone1-SI-S(config-rs-FW2)# exit
Zone1-SI-S(config)# access-list 2 permit 209.157.25.0 0.0.0.255
Zone1-SI-S(config)# server fw-group 2
Zone1-SI-S(config-tc-2)# fwall-zone Zone2 2 2
Zone1-SI-S(config-tc-2)# fw-name FW1
Zone1-SI-S(config-tc-2)# fw-name FW2
Zone1-SI-S(config-tc-2)# l2-fwall
Zone1-SI-S(config-tc-2)# sym-priority 1
Zone1-SI-S(config-tc-2)# fwall-info 1 16 209.157.23.11 209.157.24.1
Zone1-SI-S(config-tc-2)# fwall-info 2 16 209.157.23.12 209.157.24.1
Zone1-SI-S(config-tc-2)# fwall-info 3 1 209.157.23.11 209.157.24.254
Zone1-SI-S(config-tc-2)# fwall-info 4 1 209.157.23.12 209.157.24.254
Zone1-SI-S(config-tc-2)# fwall-info 5 16 209.157.25.15 209.157.24.1
Zone1-SI-S(config-tc-2)# fwall-info 6 16 209.157.25.16 209.157.24.1
Zone1-SI-S(config-tc-2)# fwall-info 7 1 209.157.25.15 209.157.24.254
Zone1-SI-S(config-tc-2)# fwall-info 8 1 209.157.25.16 209.157.24.254
Zone1-SI-S(config-tc-2)# fwall-info 9 5 209.157.24.251 209.157.24.251
Zone1-SI-S(config-tc-2)# exit
Zone1-SI-S(config)# vlan 1
Zone1-SI-S(config-vlan-1)# static-mac-address abcd.5200.348d ethernet 1 high-
priority router-type
Zone1-SI-S(config-vlan-1)# static-mac-address abcd.5200.0b50 ethernet 16 high-
priority router-type
Zone1-SI-S(config-vlan-1)# exit
Zone1-SI-S(config)# write memory
Zone1-SI-S(config)# exit
Zone1-SI-S# reload
Commands on Zone2-SI-A in Zone 2
The following commands configure ServerIron “Zone2-SI-A”, on the left side of zone 2 in Figure 6.2 on page 6-8.
The configuration is similar to the one for the active ServerIron in zone 1, with the following exceptions:
• The management IP address is different.
• The default gateway goes to a different interface on FW1.
• The paths are different due to the ServerIron’s placement in the network. (However, like Zone1-SI-A and
Zone1-SI-S, ServerIron Zone1-SI-S has a path through each firewall to each of the ServerIrons in the other
zones, and has a path to its directly attached router.)
• Only one ACL and zone definition are configured, for zone 3. Since this ServerIron is in zone 2, the
configuration does not include an ACL and zone definition for the zone. This ServerIron also does not contain
an ACL or zone definition for zone 1. As a result, by default this ServerIron forwards packets that are not
addressed to the ServerIron’s own sub-net or to a sub-net in zone 3, to zone 1.
ServerIron(config)# hostname Zone2-SI-A
Zone2-SI-A(config)# ip address 209.157.24.15 255.255.255.0
Zone2-SI-A(config)# ip default-gateway 209.157.25.1
Zone2-SI-A(config)# no span