Technical data
76 ServerIron ADX Firewall Load Balancing Guide
53-1002436-01
Configuration example for basic multizone FWLB
4
DRAFT: BROCADE CONFIDENTIAL
In this example, the ACL number and zone number are the same, but this is not required.
Syntax: [no] fw-name <firewall-name>
The fw-name command adds the previously configured firewalls to the firewall group.
Specify the names you entered when configuring the firewalls for the <firewall-name> variable. In
this example, the names are “FW1” and “FW2”.
The following commands configure the firewall paths. In the configuration in Figure 13 on page 73,
each ServerIron ADX has five paths:
• A path through FW1 to ServerIron ADX Zone2
• A path through FW2 to ServerIron ADX Zone2
• A path through FW1 to ServerIron ADX Zone3
• A path through FW2 to ServerIron ADX Zone3
• A path to the router
The ServerIron ADX uses the firewall paths to load balance the firewall traffic across the two
firewalls. As in other types of FWLB configurations, the paths must be fully meshed among the
ServerIron ADXs and firewalls. Thus, the ServerIron ADX has a separate path through each of the
firewalls to each of the ServerIron ADXs in the other zones.
The ServerIron ADX also uses the paths for checking the health of the links. The health checking
enables the ServerIron ADX to compensate if the link to a firewall becomes unavailable by sending
traffic that normally goes through the unavailable firewall through the firewall that is still available.
Zone1-SI(config-fw-2)# fwall-info 1 1 209.157.25.15 209.157.24.1
Zone1-SI(config-fw-2)# fwall-info 2 1 209.157.23.11 209.157.24.1
Zone1-SI(config-fw-2)# fwall-info 3 16 209.157.25.15 209.157.24.254
Zone1-SI(config-fw-2)# fwall-info 4 16 209.157.23.11 209.157.24.254
Zone1-SI(config-fw-2)# fwall-info 5 5 209.157.24.250 209.157.24.250
Zone1-SI(config-fw-2)# exit
Each fwall-info command consists of a path number, a ServerIron ADX port number, the IP address
at the other end of the path, and the next hop IP address. The paths that pass through FW1 use
ServerIron ADX port 1, which is connected to FW1. The paths that pass through FW2 use ServerIron
ADX port 16.
Notice that the last path, unlike the other paths, has the same IP address for the destination and
the next-hop for the path. This path is a router path and ends at the router itself. The other paths
are firewall paths and end at the ServerIron ADX at the other end of the firewall.
The following commands add static entries to the ServerIron ADX’s MAC table for the firewall
interfaces.
Zone1-SI(config)# static-mac-address abcd.5200.348d ethernet 1 priority 1
router-type
Zone1-SI(config)# static-mac-address abcd.5200.0b50 ethernet 16 priority 1
router-type
Each command includes the MAC address of the firewall’s interface with the ServerIron ADX and
the ServerIron ADX port that is connected to the firewall. The priority 1 and router-type parameters
identify the MAC entry type and are required.
The following command saves the configuration information to the ServerIron ADX’s startup-config
file on flash memory. You must save the configuration information before reloading the software or
powering down the device. Otherwise, the information is lost.
Zone1-SI(config)# write memory