Technical data

ManualsBrandsBrocade Communications Systems ManualsHome Theater ServerServerIron ADX 12.4.00

ServerIron ADX Firewall Load Balancing Guide 79

53-1002436-01

Configuring highly-availability multizone FWLB

DRAFT: BROCADE CONFIDENTIAL

Configuring highly-availability multizone FWLB

Figure 14 on page 79 shows an example of a high-availability multizone FWLB configuration. This

example has the same zones as the basic example in Figure 13 on page 73, but in the

high-availability configuration, each zone contains a pair of active-standby ServerIron ADXs instead

of a single ServerIron ADX.

In this configuration, the ServerIron ADXs on the left side of Figure 14 are the active ServerIron

ADXs. The ServerIron ADXs on the right are the standby ServerIron ADXs. Each active-standby pair

is connected by a private link, which the ServerIron ADXs use to exchange failover information. The

ports used by the private links are in their own port-based VLAN, separate from the other

ServerIron ADX ports. Add the ports as untagged ports. For added redundancy, the private links

also are configured as two-port trunk groups.

This example also uses a simplified topology. Instead of using Layer 2 switches and redundant links

to provide failover data paths from the devices on the left side to the devices on the right side, this

configuration uses additional links between the ServerIron ADXs. The l2-fwall and always-active

commands enable you to use this type of simplified topology. The l2-fwall command prevents data

loops by blocking traffic on the standby ServerIron ADX, while the always-active command allows

the standby ServerIron ADXs to pass traffic to their active partners for forwarding.

FIGURE 14 High-availability configuration with separate firewall zones

WAN Router

Internal Router

SI-1

SI-S

SI-A

DMZ Router

Zone 3

Zone 2

Zone 1

Internet

209.157.24.250/24

Por t5

Por t1

Port16

209.157.24.13/24

Note: When undefined,

Zone 1 contains all

addresses not in the other

zones.

209.157.24.1/24

209.157.25.1/24

FW1

209.157.23.1/24

209.157.25.254/24

209.157.24.254/24

209.157.23.254/24

FW2

Por t5

Por t1

209.157.25.16/24

209.157.25.201/24

Por t5

Por t1

209.157.23.11/24

209.157.23.15/24

Zone 3 = 209.157.23.0/24 - 209.157.23.255/24

Zone 2 = 209.157.25.0/24 - 209.157.25.255/24

WAN Router

SI-S

SI-A

SI-S

Ports 9 and 10

Port16

Ports 9 and 10

Por t5

Por t1

209.157.24.14/24

209.157.24.251/24

Ports 9 and 10

Por t1

209.157.23.12/24

Por t5

Port16

Internal Router

209.157.23.16/24

Ports 9 and 10

Port16

Ports 9 and 10

Port16

Por t5

209.157.25.15/24

Por t1

DMZ Router

209.157.25.200/24

Ports 9 and 10

Port16