Technical data
ServerIron ADX Firewall Load Balancing Guide 27
53-1002436-01
Configuration examples with Layer 3 routing support
2
DRAFT: BROCADE CONFIDENTIAL
The following command configures an IP default route. The first two "0.0.0.0" portions of the
address are the IP address and network mask. Always specify zeroes when configuring an IP
default route. The third value is the IP address of the next-hop gateway for the default route. In
most cases, you can specify the IP address of one of the firewalls as the next hop. Specifying the
default route is the Layer 3 equivalent of specifying the default gateway.
SI-External(config)# ip route 0.0.0.0 0.0.0.0 10.10.1.5
The following commands add the firewall definitions. In this example, port HTTP is configured on
each firewall. Specifying the application ports on the firewalls is optional. If you configure an
application port on a firewall, load balancing is performed for the configured port. All traffic from a
given client for ports that are not configured is sent to the same firewall.
SI-External(config)# server fw-name fw1 10.10.1.5
SI-External(config-rs-fw1)# port http
SI-External(config-rs-fw1)# exit
SI-External(config)# server fw-name fw2 10.10.1.6
SI-External(config-rs-fw2)# port http
SI-External(config-rs-fw2)# exit
The following commands add the firewall definitions to the firewall port group (group 2 for IPv4
addresses and group 4 for IPv6 addresses). The firewall group contains all the ports in VLAN 1 (the
default VLAN).
SI-External(config)# server fw-group 2
SI-External(config-fw-2)# fw-name fw1
SI-External(config-fw-2)# fw-name fw2
The following commands add the paths through the firewalls to the other ServerIron ADX. Each
path consists of a path number, a ServerIron ADX port number, the IP address at the other end of
the path, and the next-hop IP address. In this example, the topology does not contain routers other
than the ServerIron ADXs. If your topology contains other routers, configure firewall paths for the
routers too. For router paths, use the same IP address as the path destination and the next hop.
NOTE
The path IDs must be in contiguous, ascending numerical order, starting with 1. For example, path
sequence 1, 2, 3, 4 is valid. Path sequence 4, 3, 2, 1 or 1, 3, 4, 5 is not valid.
SI-External(config-fw-2)# fwall-info 1 4/1 10.10.2.222 10.10.1.5
SI-External(config-fw-2)# fwall-info 2 4/2 10.10.2.222 10.10.1.6
The following command sets the load balancing method to balance requests based on the firewall
that has the least number of connections for the requested service. Because the previous firewall
definitions specify the HTTP service, the ServerIron ADX will load balance requests based on the
firewall that has fewer HTTP session entries in the ServerIron ADX session table.
SI-External(config-fw-2)# fw-predictor per-service-least-conn
SI-External(config)# exit
The following commands add static MAC entries for the firewall interfaces with the ServerIron ADX.
The static MAC entries are required only if the configuration uses static routes and a single virtual
routing interface, as in this example, and if the default gateway for the client or server is the
firewall. If the configuration uses a dynamic routing protocol (for example, RIP or OSPF), the static
entries are not required. Alternatively, the static entries are not required if you use the ServerIron
ADX itself as the default gateway for the client or the server. For example, the static entries are not
required if you configure the client to use 10.10.1.111 as its default gateway.