Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

171

172

173

174

175

176

177

178

179

180

ServerIron ADX Firewall Load Balancing Guide 165

53-1002436-01

DRAFT: BROCADE CONFIDENTIAL

Appendix

Additional Firewall Configurations

In this appendix

•Configuring FWLB for firewalls with active-standby NICs . . . . . . . . . . . . . . 165

•Customizing path health checks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169

•FWLB selection algorithms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171

•Configuring weighted load balancing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173

•Denying FWLB for specific applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 174

•Configuring failover tolerance in IronClad configurations. . . . . . . . . . . . . . 177

Configuring FWLB for firewalls with active-standby NICs

Some firewalls provide reliability through link redundancy. For example, some firewalls can have

two NICs on each sub-net. One of the NICs is active. The other NIC is a standby interface and is

used only if the active NIC becomes unavailable. Both NICs have the same IP address. You can use

this type of firewall in IronClad configurations that use the always-active feature.

NOTE

The always-active feature enables you to simplify FWLB configuration by eliminating extra layers of

Layer 2 switches. Refer to “Configuring the additional data link (the always-active link)” on page 43.

To configure a ServerIron ADX to load balance traffic for firewalls that use dual NICs for link

redundancy, specify a wildcard value (65535) instead of a specific ServerIron ADX port number

when you configure the paths to the firewall. When you add a firewall path, the ServerIron ADX

sends an ARP request to obtain the MAC address of the next-hop IP address for the path, which in

most configurations is the firewall NIC. If the ServerIron ADX port number for the path is a wildcard

(65535), the ServerIron ADX also learns the port for the path, which is the port on which the

ServerIron ADX receives the ARP reply from the NIC.

Figure 24 shows an example of an always-active configuration.

This configuration and the commands for implementing it are almost the same as for the

configuration in

“IronClad FWLB configuration with multi-homed firewalls” The only differences are

as follows:

• Each firewall is connected to both ServerIron ADXs on each side of the network. For example,

firewall FW1 is connected to both ServerIron SI-Ext-A and ServerIron SI-Ext-B. Each link has a

unique MAC address but they use the same IP address. Only one of the links is active at a time.

The other link is a standby.

• The firewall paths on each ServerIron use a wildcard value (65535) instead of a specific

ServerIron port number.