Technical data
ServerIron ADX Firewall Load Balancing Guide 83
53-1002436-01
Configuration example for a high-availability multizone FWLB
4
DRAFT: BROCADE CONFIDENTIAL
Using the l2-fwall and always-active commands allows you to simplify the network topology while
still obtaining the benefits of the IronClad (high-availability) configuration. Use the following
commands to enable the always-active option in the default VLAN (VLAN 1). You enable the L2-fwall
option when you configure firewall group parameters (see the following example).
Zone1-SI-A(config)# vlan 1
Zone1-SI-A(config-vlan-1)# always-active
Zone1-SI-A(config-vlan-1)# exit
The following commands add the firewalls.
Zone1-SI-A(config)# server fw-name FW1 209.157.24.1
Zone1-SI-A(config-rs-FW1)# exit
Zone1-SI-A(config)# server fw-name FW2 209.157.24.254
Zone1-SI-A(config-rs-FW2)# exit
The names are specific to the ServerIron ADX and do not need to correspond to any name
parameters on the firewalls themselves. The IP addresses are the addresses of the firewall
interfaces with the ServerIron ADX.
The following command configures an Access Control List (ACL) for the IP addresses in one of the
zones this ServerIron ADX is not in. In this configuration, only one zone definition is required on
each ServerIron ADX, including Zone1-SI-A and Zone1-SI-S. Because the active Zone 1 ServerIron
ADX is already in zone 1, the ServerIron ADX will forward packets either to the active ServerIron ADX
in zone 2 or to the only other active ServerIron ADX that is not in zone 2. In this case, that other
active ServerIron ADX is in zone 3. Thus, if ServerIron ADX Zone1-SI-A receives a packet that is not
addressed to the sub-net Zone1-SI-A is in, and is not addressed to a sub-net in zone 2, the
ServerIron ADX assumes that the packet is for an address in the other zone, zone 3. The ServerIron
ADX forwards the packet to the ServerIron ADX in zone 3.
The command configures an ACL for the addresses in zone 2, which contains addresses in the
209.157.25.x/24 sub-net. The “0.0.0.255” values indicate the significant bits in the IP address you
specify. In this case, all bits except the ones in the last node of the address are significant.
Zone1-SI-A(config)# access-list 2 permit 209.157.25.0 0.0.0.255
Although each zone in this example contains one Class C sub-net, you can configure ACLs for any
range of addresses and even for individual host addresses.
NOTE
This example shows a numbered ACL instead of a named ACL. You must use numbered ACLs. The
FWLB software does not support zone configuration based on named ACLs.
The following commands configure the firewall group parameters. In this case, the commands
configure the firewall zones, add the firewalls, enable the L2-fwall option, and set the
active-standby priority.
Zone1-SI-A(config)# server fw-group 2
Zone1-SI-A(config-fw-2)# fwall-zone Zone2 2 2
Zone1-SI-A(config-fw-2)# fw-name FW1
Zone1-SI-A(config-fw-2)# fw-name FW2
Zone1-SI-A(config-fw-2)# l2-fwall
Zone1-SI-A(config-fw-2)# sym-priority 255
The fwall-zone command configures a firewall zone. To configure a zone, specify a name for the
zone, and then a zone number (from 1 through 10), followed by the number of the standard ACL
that specifies the IP addresses in the zone. In this example, the ACL numbers and zone numbers
are the same, but this is not required.