Technical data
Firewall Load Balancing Guide
6 - 30 © 2012 Brocade Communications Systems, Inc. May 31, 2012
The following command configures a static route to the sub-net that contains the external host.
Zone1-SI-A(config)# ip route 20.20.0.0 255.255.0.0 10.10.7.100
The following commands configure the synchronization link between this ServerIron and ServerIron Zone1-SI-B.
For redundancy, the link is configured on a trunk group.
Zone1-SI-A(config)# vlan 10
Zone1-SI-A(config-vlan-10)# untagged ethernet 4/9 to 4/10
Zone1-SI-A(config-vlan-10)# exit
Zone1-SI-A(config)# trunk switch ethernet 4/9 to 4/10
Zone1-SI-A(config)# server fw-port 4/9
The following commands configure the data link connecting this ServerIron to its partner, Zone1-SI-B. For
redundancy, the link is configured as a two-port trunk group.
Zone1-SI-A(config)# trunk switch ethernet 4/11 to 4/12
Zone1-SI-A(config)# server partner-ports ethernet 4/11
Zone1-SI-A(config)# server partner-ports ethernet 4/12
Zone1-SI-A(config)# server fw-group 2
Zone1-SI-A(config-tc-2)# l2-fwall
Zone1-SI-A(config-tc-2)# exit
The following commands add the firewalls. Three application ports (HTTP, FTP, and SNMP) are configured on
each of the firewalls. The no-health-check parameter disables the Layer 4 health check for the specified
application.
Zone1-SI-A(config)# server fw-name fw1 10.10.1.1
Zone1-SI-A(config-rs-fw1)# port http
Zone1-SI-A(config-rs-fw1)# port http no-health-check
Zone1-SI-A(config-rs-fw1)# port snmp
Zone1-SI-A(config-rs-fw1)# port snmp no-health-check
Zone1-SI-A(config-rs-fw1)# exit
Zone1-SI-A(config)# server fw-name fw2 10.10.1.2
Zone1-SI-A(config-rs-fw2)# port http
Zone1-SI-A(config-rs-fw2)# port http no-health-check
Zone1-SI-A(config-rs-fw2)# port snmp
Zone1-SI-A(config-rs-fw2)# port snmp no-health-check
Zone1-SI-A(config-rs-fw2)# exit
The following commands add the firewall definitions to the firewall port group (always group 2).
Zone1-SI-A(config)# server fw-group 2
Zone1-SI-A(config-tc-2)# fw-name fw1
Zone1-SI-A(config-tc-2)# fw-name fw2
The following command enables the active-active mode and specifies the priority of this ServerIron. In this case,
ServerIron Zone1-SI-A has the higher priority. Its partner, ServerIron Zone1-SI-B, will be configured with a lower
priority (1).
Zone1-SI-A(config-tc-2)# sym-priority 255
The following commands add the paths through the firewalls to the ServerIrons in zones 2 and 3. In addition, static
MAC entries are added for the firewall interfaces.
NOTE: The path IDs must be in contiguous, ascending numerical order, starting with 1. For example, path
sequence 1, 2, 3, 4 is valid. Path sequence 4, 3, 2, 1 or 1, 3, 4, 5 is not valid.
Zone1-SI-A(config-tc-2)# fwall-info 1 4/1 10.10.2.222 10.10.1.1
Zone1-SI-A(config-tc-2)# fwall-info 2 4/11 10.10.2.222 10.10.1.2
Zone1-SI-A(config-tc-2)# fwall-info 3 4/1 10.10.2.223 10.10.1.1
Zone1-SI-A(config-tc-2)# fwall-info 4 4/11 10.10.2.223 10.10.1.2
Zone1-SI-A(config-tc-2)# fwall-info 5 4/1 10.10.3.111 10.10.1.1
Zone1-SI-A(config-tc-2)# fwall-info 6 4/11 10.10.3.111 10.10.1.2
Zone1-SI-A(config-tc-2)# exit