Technical data
Firewall Load Balancing Guide
6 - 22 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Zone1-SI-A(config-tc-2)# fwall-info 6 4/11 10.10.3.111 10.10.1.2
Zone1-SI-A(config-tc-2)# exit
Zone1-SI-A(config)# vlan 1
Zone1-SI-A(config-vlan-1)# static-mac-address 00e0.5201.a17a ethernet 4/1 priority 1
router-type
Zone1-SI-A(config-vlan-1)# static-mac-address 00e0.5207.973c ethernet 4/11 priority
1 router-type
Zone1-SI-A(config-vlan-1)# exit
The following commands set the load balancing method to balance requests based on the firewall that has the
least number of connections for the requested service. For example, the ServerIron will load balance HTTP
requests based on the firewall that has fewer HTTP session entries in the ServerIron session table.
Zone1-SI-A(config)# server fw-group 2
Zone1-SI-A(config-tc-2)# fw-predictor per-service-least-conn
Zone1-SI-A(config-tc-2)# exit
The following command configures a standard IP ACL for the IP addresses in one of the zones this ServerIron is
not in. In this configuration, only one zone definition is required on each ServerIron, including Zone1-SI-A and
Zone1-SI-S. Since the active Zone 1 ServerIron is already in zone 1, the ServerIron will forward packets either to
the active ServerIron in zone 2 or to the only other active ServerIron that is not in zone 2. In this case, the other
active ServerIron is in zone 3. Thus, if ServerIron Zone1-SI-A receives a packet that is not addressed to the sub-
net Zone1-SI-A is in, and is not addressed to a sub-net in zone 2, the ServerIron assumes that the packet is for an
address in the other zone, zone 3. The ServerIron forwards the packet to the ServerIron in zone 3.
The command configures an ACL for the addresses in zone 2, which contains addresses in the 10.10.2.x/24 sub-
net. The “0.0.0.255” values indicate the significant bits in the IP address you specify. In this case, all bits except
the ones in the last node of the address are significant.
Zone1-SI-A(config)# access-list 2 permit 10.10.2.0 0.0.0.255
The following commands configure the zone parameters. To configure a zone, specify a name for the zone, then a
zone number (from 1 – 10), followed by the number of the ACL that specifies the IP addresses in the zone. In this
example, the ACL numbers and zone numbers are the same, but this is not required.
Zone1-SI-A(config)# server fw-group 2
Zone1-SI-A(config-tc-2)# fwall-zone Zone2 2 2
Zone1-SI-A(config-tc-2)# exit
The following commands configure the SLB information. Each of the servers in zones 2 and 3 is added as a real
server, then the servers are bound to a VIP. The servers are added using the server remote-name command
instead of the server real-name command because the servers are not directly connected to the ServerIron.
Instead, they are connected to the ServerIron through other routers (in this case, the firewalls).
Zone1-SI-A(config)# server remote-name web1 10.10.2.40
Zone1-SI-A(config-rs-web1)# port http
Zone1-SI-A(config-rs-web1)# exit
Zone1-SI-A(config)# server remote-name web2 10.10.2.42
Zone1-SI-A(config-rs-web2)# port http
Zone1-SI-A(config-rs-web2)# exit
Zone1-SI-A(config)# server remote-name web3 10.10.3.41
Zone1-SI-A(config-rs-web3)# port http
Zone1-SI-A(config-rs-web3)# exit
Zone1-SI-A(config)# server remote-name web4 10.10.3.43
Zone1-SI-A(config-rs-web4)# port http
Zone1-SI-A(config-rs-web4)# exit
Zone1-SI-A(config)# server virtual www.web.com 10.10.1.10
Zone1-SI-A(config-vs-www.web.com)# port http
Zone1-SI-A(config-vs-www.web.com)# bind http web1 http web2 http web3 http web4 http
Zone1-SI-A(config-vs-www.web.com)# exit
The following command enables SLB-to-FWLB.
Zone1-SI-A(config)# server slb-fw
The following commands enable FWLB.