Technical data
82 ServerIron ADX Firewall Load Balancing Guide
53-1002436-01
Configuration example for a high-availability multizone FWLB
4
DRAFT: BROCADE CONFIDENTIAL
The following commands identify the port for the link to the other ServerIron ADX. If the link is a
trunk group, enter the primary port number. In this example, the link is a trunk group made of ports
9 and 10, but you only need to specify port 9, the trunk group’s primary port.
The commands also create a trunk group for the ports that connect this ServerIron ADX to its
high-availability partner, then create a separate port-based VLAN containing the ports in the trunk
group. Always configure the private link between the active and standby ServerIron ADX in a
separate port-based VLAN. Add the ports as untagged ports.
Using a trunk group for the link between the active and standby ServerIron ADXs is not required,
but using a trunk group adds an additional level of redundancy for enhanced availability. If one of
the ports in a trunk group goes down, the link remains intact as long as the other port remains up.
Make sure you configure a server trunk group, not a switch trunk group. The default trunk group
type is switch, so you must specify the server option.
Notice that the server fw-port command (which identifies the port connected to the other
ServerIron ADX) refers to only one port, even though the link is actually a multiple-port trunk group.
This port number is the primary port of the trunk group. If you use a trunk group for the private link
between the active and standby ServerIron ADXs, refer to the group by its primary port; in this case,
port 9.
Zone1-SI-A(config)# server fw-port 9
Zone1-SI-A(config)# trunk server ethernet 9 to 10
Zone1-SI-A(config)# trunk deploy
Zone1-SI-A(config)# vlan 10 by port
Zone1-SI-A(config-vlan-10)# untagged 9 to 10
Zone1-SI-A(config-vlan-10)# exit
The following commands enable the always-active option on the default VLAN.
The default VLAN contains all the ports you have not placed in other port-based VLANs. In this
configuration, the default VLAN contains all ports except ports 9 and 10, which are used for the
private link between the active and standby ServerIron ADXs.
The always-active command enables the standby ServerIron ADX to forward traffic by sending it
through the active ServerIron ADX. This command is useful in configurations where you need to
enable the l2-fwall command (to prevent Layer 2 loops through the standby ServerIron ADX), but
you also must allow traffic to pass through the standby ServerIron ADX because that ServerIron
ADX is the only path for some traffic.
Without the always-active command, the standby ServerIron ADX blocks all traffic. As a result, if the
router connected to the standby ServerIron ADX forwards client traffic addressed to a server in the
DMZ, the traffic is blocked by the standby ServerIron ADX. However, when the always-active
command is enabled, the standby ServerIron ADX forwards traffic to its active partner ServerIron
ADX, which then forwards the traffic to its destination.
In some configurations, you do not need the l2-fwall command or the always-active command.
However, configurations that do not use these commands compensate with redundant links and
sometimes extra Layer 2 switches. For example, if each ServerIron ADX in
Figure 14 on page 79
had links to both routers in its zone and also to both firewalls, and if Layer 2 switches were added
to the configuration to allow STP to prevent Layer 2 loops, then it is possible that neither the l2-fwall
command nor the always-active command would be required.
In the configuration in Figure 14 on page 79, each router and firewall is connected to only one of
the two ServerIron ADXs in an active-standby pair. Neither the routers nor the firewalls have direct
links (or links through Layer 2 switches) to both the active and standby ServerIron ADXs in their
zones.