Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
51525354555657585960
ServerIron ADX Firewall Load Balancing Guide 41
53-1002436-01
Configuring HA active-active FWLB
3
DRAFT: BROCADE CONFIDENTIAL
You must use the server partner-ports command to identify the data path from a peer
ServerIron ADX in HA.
Do not combine FWLB with Layer 7 content switching features. The FWLB+TCS combination is
also not supported.
In this example, clients access the application servers on the private network through one of two
routers, each of which is connected to a ServerIron ADX. The ServerIron ADXs create session
entries for new traffic flows, including assignment of a firewall. The ServerIron ADXs then use the
session entries to forward subsequent traffic in the flow to the same firewall.
The ServerIron ADXs on the private side of the network are connected to the application servers
through routers. These ServerIron ADXs also create session entries and use those entries for
forwarding traffic to the servers, and the server replies back to the clients.
Each pair of ServerIron ADXs is connected by two trunk groups. One of the trunk groups is the
synchronization link, and is used by the ServerIron ADX to exchange session information, so that
each ServerIron ADX has a complete list of the sessions. If one of the ServerIron ADXs becomes
unavailable, the other ServerIron ADX can continue FWLB service without interruption, even for
existing sessions.
The other trunk group is an additional data link and allows for a simplified topology by eliminating
the need for separate Layer 2 switches between the ServerIron ADXs and firewalls.
These links are not required to be trunk groups, but configuring them as trunk groups adds
link-level redundancy to the overall redundant design.
The pairs of routers are configured with Virtual Router Redundancy Protocol (VRRP) to share the
default gateway address used by the ServerIron ADXs attached to the routers.
A management station attached to one of the ServerIron ADXs on the private side of the firewalls
provides Telnet management access to all four ServerIron ADXs.
To implement the active-active FWLB configuration shown in Figure 10, perform the tasks shown in
Table 5 on each ServerIron ADX.
TABLE 5 Active-active FWLB configuration tasks
Task Reference
Configure global parameters
Configure the management IP address and default gateway page 42
Configure the firewall port for the synchronization link page 42
Configure the partner port for the data link page 43
Configure the additional data link (the always-active link) page 43
Configure the router port page 44
Configure firewall parameters
Define the firewalls and add them to the firewall group. When you define each firewall, optionally
specify:
The TCP or UDP application ports on the firewall
The health check state (enabled by default)
The maximum total number of sessions
The maximum new session rate
page 44