Technical data
Firewall Load Balancing Guide
6 - 28 © 2012 Brocade Communications Systems, Inc. May 31, 2012
Zone3-SI-A(config-tc-2)# fwall-info 2 4/2 10.10.1.111 10.10.3.2
Zone3-SI-A(config-tc-2)# fwall-info 3 4/1 10.10.1.112 10.10.3.1
Zone3-SI-A(config-tc-2)# fwall-info 4 4/2 10.10.1.112 10.10.3.2
Zone3-SI-A(config-tc-2)# fwall-info 5 4/1 10.10.2.222 10.10.3.1
Zone3-SI-A(config-tc-2)# fwall-info 6 4/2 10.10.2.222 10.10.3.2
Zone3-SI-A(config-tc-2)# fwall-info 7 4/1 10.10.2.223 10.10.3.1
Zone3-SI-A(config-tc-2)# fwall-info 8 4/2 10.10.2.223 10.10.3.2
Zone3-SI-A(config-tc-2)# exit
Zone3-SI-A(config)# vlan 1
Zone3-SI-A(config-vlan-1)# static-mac-address 00e0.5201.a182 ethernet 4/1 priority 1
router-type
Zone3-SI-A(config-vlan-1)# static-mac-address 00e0.5207.9744 ethernet 4/2 priority 1
router-type
Zone3-SI-A(config-vlan-1)# exit
Zone3-SI-A(config)# server fw-group 2
Zone3-SI-A(config-tc-2)# fw-predictor per-service-least-conn
Zone3-SI-A(config-tc-2)# exit
Zone3-SI-A(config)# access-list 2 permit 10.10.2.0 0.0.0.255
Zone3-SI-A(config)# server fw-group 2
Zone3-SI-A(config-tc-2)# fwall-zone zone2 2 2
Zone3-SI-A(config-tc-2)# exit
Zone3-SI-A(config)# server real-name sr1 10.10.3.41
Zone3-SI-A(config-rs-sr1)# port http
Zone3-SI-A(config-rs-sr1)# exit
Zone3-SI-A(config)# server real-name sr2 10.10.3.43
Zone3-SI-A(config-rs-sr2)# port http
Zone3-SI-A(config-rs-sr2)# exit
Zone3-SI-A(config)# server virtual www.sr.com 10.10.3.10
Zone3-SI-A(config-vs-www.rs.com)# port http
Zone3-SI-A(config-vs-www.web.com)# bind http sr2 http sr1 http
Zone3-SI-A(config-vs-www.web.com)# exit
Zone3-SI-A(config)# server fw-slb
Zone3-SI-A(config)# ip l4-policy 1 fw tcp 0 global
Zone3-SI-A(config)# ip l4-policy 2 fw udp 0 global
Zone3-SI-A(config)# write memory
Multizone FWLB with Multiple Sub-nets and Multiple Virtual
Routing Interfaces
Figure 6.5 shows an example of a multizone FWLB configuration in which each ServerIron is configured with
multiple sub-nets and multiple virtual routing interfaces. The configuration is similar to the one in Figure 6.4 on
page 6-20, but differs in the following ways:
• The ServerIrons configured in active-active pairs have four port-based VLANs. VLAN 10 is for the
synchronization link between the ServerIrons. The default VLAN (VLAN 1) is not configured with a routing
interface. VLANs 2 and 20 are configured with virtual routing interfaces.
• The ServerIrons in zone 1 are configured with a static IP route to the sub-net that the external client is on.
• Static MAC entries are not required and thus are not included for the firewall interfaces.
• More than one standard IP ACL is configured on each ServerIron, since more than one sub-net is a member
of each zone.