Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsComputer equipment8/8
81828384858687888990
Firewall Load Balancing Guide
6 - 20 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Figure 6.4 Multizone FWLB with One Sub-net and One Virtual Routing Interface
This configuration example also uses SLB. The application servers connected to the ServerIrons in zones 2 and 3
are configured on the ServerIrons as real servers and bound to a VIP. The ServerIrons in zone 1 load balance
client requests for the servers in zones 2 and 3, in addition to load balancing the traffic to the firewalls. FWLB-to-
SLB and SLB-to-FWLB are used in this configuration. FWLB-to-SLB enables the ServerIrons in zones 2 and 3 to
learn the firewall from which a client request is received and send the server reply back through the same firewall.
SLB-to-FWLB on the ServerIrons in zone 1 performs FWLB for traffic directed toward the real servers connected
to the ServerIrons in zones 2 and 3.
Commands on Zone 1’s Active ServerIron (Zone1-SI-A)
The following commands change the CLI to the global CONFIG level, then change the hostname to “Zone1-SI-A”.
ServerIron> enable
ServerIron# configure terminal
ServerIron(config)# hostname Zone1-SI-A
The following commands enable the always-active feature and disable the Spanning Tree Protocol (STP) in
VLAN 1, which contains the ports that will carry the FWLB traffic.
Zone1-SI-A(config)# vlan 1
Zone1-SI-A(config-vlan-1)# always-active
Zone1-SI-A(config-vlan-1)# no spanning-tree
The following commands configure a virtual routing interface on VLAN 1 (the default VLAN), then configure an IP
address on the interface. The virtual routing interface is associated with all the ports in the VLAN.
Zone1-SI-A(config-vlan-1)# router-interface ve 1
Zone1-SI-A(config-vlan-1)# exit
Zone1-SI-A(config)# interface ve 1
Zone1-SI-A(config-ve-1)# ip address 10.10.1.111 255.255.255.0
Zone1-SI-A(config-ve-1)# exit
The following command configures an IP default route. The next hop for this route is the ServerIron’s interface with
firewall FW1.
Zone1-SI-A(config)# ip route 0.0.0.0 0.0.0.0 10.10.1.1
The following command disables ICMP redirect messages. This command disables the messages but the
ServerIron still forwards misdirected traffic to the appropriate router.
Zone1-SI-A(config)# no ip icmp redirects
When undefined, Zone 1 contains
all addresses not in the other zones.
External Router
Active
ServerIron A
Standby
ServerIron A
10.10.1.101
Ports
4/9 - 4/10
Ports
4/9 - 4/10
Ports
4/11 - 4/12
Port 4/1
Port 4/1
Ports
4/11 - 4/12
Port 4/1
FW1
FW2
SI-A
SI-A
SI-A
Zone 1
Zone 2
= 10.10.2.x/24
Zone 3
= 10.10.3.x/24
IP: 20.20.100.100
Gateway: 20.20.254.254
IP: 10.10.2.40
Gateway: 10.10.2.222
IP: 10.10.2.42
Gateway: 10.10.2.222
IP: 10.10.2.42
Gateway: 10.10.2.222
IP: 10.10.2.43
Gateway: 10.10.2.222
Sync Link
Data Link
IP: 10.10.1.2
MAC: 00e0.5207.973c
IP: 10.10.1.1
MAC: 00e0.5201.a17a
IP: 10.10.3.2
MAC: 00e0.5207.9744
IP: 10.10.3.1
MAC: 00e0.5201.a17a
IP: 10.10.2.2
MAC: 00e0.5207.9742
IP: 10.10.2.1
MAC: 00e0.5201.a180
Active
ServerIron A
Standby
ServerIron A
Ports
4/9 - 4/10
Ports
4/9 - 4/10
Ports
4/11 - 4/12
Ports
4/11 - 4/12
SI-A SI-A
Sync Link
Data Link
Port 4/1 Port 4/2
Active
ServerIron A