Manualshelf

Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00
71727374757677787980
ServerIron ADX Firewall Load Balancing Guide 69
53-1002436-01
Configuring active-active HA FWLB with VRRP
3
DRAFT: BROCADE CONFIDENTIAL
SI-Int-B(config)# server fw-name fw1 10.10.2.1
SI-Int-B(config-rs-fw1)# port http
SI-Int-B(config-rs-fw1)# port http no-health-check
SI-Int-B(config-rs-fw1)# exit
SI-Int-B(config)# server fw-name fw2 10.10.2.2
SI-Int-B(config-rs-fw2)# port http
SI-Int-B(config-rs-fw2)# port http no-health-check
SI-Int-B(config-rs-fw2)# exit
SI-Int-B(config)# server fw-group 2
SI-Int-B(config-fw-2)# fw-name fw1
SI-Int-B(config-fw-2)# fw-name fw2
SI-Int-B(config-fw-2)# sym-priority 1
SI-Int-B(config-fw-2)# fwall-info 1 3/2 10.10.1.111 10.10.2.1
SI-Int-B(config-fw-2)# fwall-info 2 4/10 10.10.1.111 10.10.2.2
SI-Int-B(config-fw-2)# fwall-info 3 3/2 10.10.1.112 10.10.2.1
SI-Int-B(config-fw-2)# fwall-info 4 4/10 10.10.1.112 10.10.2.2
SI-Int-B(config-fw-2)# fw-predictor per-service-least-conn
SI-Int-B(config-fw-2)# l2-fwall
SI-Int-B(config-fw-2)# exit
SI-Int-B(config)# vlan 1
SI-Int-B(config-vlan-1)# static-mac-address 00e0.5201.042e ethernet 3/2
priority 1 router-type
SI-Int-B(config-vlan-1)# static-mac-address 00e0.5201.2188 ethernet 4/1
priority 1 router-type
SI-Int-B(config-vlan-1)# exit
SI-Int-B(config)# write memory
Usage notes
When configuring FWLB+VRRPE+NAT, it is necessary to configure the firewalls to use interface IP
addresses as default gateways:
On the firewalls, configure the default gateway address to be the interface address (physical or
VE) of the directly connected ServerIron, instead of the VRRP or VRRP-E Virtual IP.
Assuming that the ServerIron ADXs on the outside of the firewalls are performing NAT, on each
of those two ServerIrons, add an additional higher-cost default route pointing to the inside
interface IP address of the partner ServerIron.
For example, assume that SI1 and SI2 are the ServerIron ADXs external to the firewalls, and their
default gateway is 202.221.202.100, SI1's internal address is 10.10.1.1, and SI2's internal
address is 10.10.1.2.
The following commands configure the firewalls to use interface IP addresses as default gateways
on SI1:
ip route 0.0.0.0 0.0.0.0 202.221.202.100
ip route 0.0.0.0 0.0.0.0 10.10.1.2 10
The following commands configure the firewalls to use interface IP addresses as default gateways
on SI2:
ip route 0.0.0.0 0.0.0.0 202.221.202.100
ip route 0.0.0.0 0.0.0.0 10.10.1.1 10