Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
51525354555657585960
40 ServerIron ADX Firewall Load Balancing Guide
53-1002436-01
Configuring HA active-active FWLB
3
DRAFT: BROCADE CONFIDENTIAL
FIGURE 10 HA FWLB for Layer 3 firewalls
HA FWLB configuration guidelines
Use the following guidelines when configuring a ServerIron ADX for HA FWLB:
The ServerIron ADX must be able to reach the firewalls at Layer 2. Therefore, the firewalls must
be either directly attached to the ServerIron ADX or connected through a Layer 2 switch.
The SYNC link between the two ServerIron ADX switches must always be in a separate VLAN.
One must not tag this link to send data traffic over it.
Firewall path definitions on each ServerIron ADX must be symmetrical. The order of next-hop
addresses must match. For example, if the topology is comprised of outside and inside
ServerIron ADX pairs and four firewalls, then on each ServerIron ADX, define the first path
through firewall 1, the second path through firewall 2, and so on.
Static MAC entries for firewall interfaces are required. This is especially critical when the
upstream Internet side routers use the firewall interface as the next hop for reaching internal
networks. These static entries are not necessary with ServerIron ADX router software and
should not be used when a firewall path definition uses dynamic ports.
Use “dynamic ports” with firewall path definitions when the firewall interface MAC address can
be learned over different physical ports by the ServerIron ADX.
SI-A
SI-A
SI-B
SI-B
Layer 3
Firewall-1
Layer 3
Firewall-2
Client
10.10.6.22
Client
10.10.6.23
VRRP
Synchronization
Link
Additional
Data Link
Synchronization
Link
Additional
Data Link
VRRP
External
Router A
Internal
Router A
VRRP Address
10.10.1.101
VRRP Address
10.10.2.101
Port4/12
Port4/1
Port4/1
Port4/12
Default Gateway
10.10.2.101
Default Gateway
10.10.1.101
ServerIron SI-Int-A
10.10.2.222
ServerIron SI-Ext-A
10.10.1.111
FW1
IP: 10.10.1.1
MAC: 00.50.da.8d.52.18
FW1
IP: 10.10.2.1
MAC: 00.50.da.92.08.dc
10.10.2.30
Management
Station
Trunk Ports 4/13-4/14
Trunk Ports 4/5-4/6
Trunk Ports 4/13-4/14
Trunk Ports 4/5-4/6
Trunk Ports 4/13-4/14
Trunk Ports 4/5-4/6
Trunk Ports 4/13-4/14
Trunk Ports 4/5-4/6
Port4/12
Port4/1
Port4/1
Port4/12
VRRP Address
10.10.2.101
Internal
Router B
Default Gateway
10.10.2.101
Default Gateway
10.10.1.101
ServerIron SI-Int-B
10.10.2.223
ServerIron SI-Ext-B
10.10.1.112
FW2
IP: 10.10.1.2
MAC: 00.50.da.92.08.fc
FW2
IP: 10.10.2.2
MAC: 00.50.da.92.08.d0
External
Router B
Server
10.10.2.30
Server
10.10.2.40