Load balancing among a cluster of firewall security devices

摘要

A method for balancing load among firewall security devices in a network is disclosed. According to one embodiment, a switch causes firewall security devices (FSDs) of a cluster to enter into a load balancing mode. Responsive to receiving a heartbeat signal from an FSD, information regarding the FSD and the port on which the heartbeat signal was received are added to a table maintained by the switch that maps outputs of a load balancing function to ports of the switch. A received packet is forwarded to an FSD of the cluster by: (i) extracting a configurable number of bit values from a configurable set of bit positions within the packet; (ii) determining the output of the load balancing function; (iii) identifying the port to which the FSD is coupled based on the output and the table; and (iv) transmitting the packet to the FSD via the identified port.

主权项

1. A method comprising:
configuring a load balancing function in a switching device within a network based on information received from a network administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) bit positions of the number of bits within one or more of a type of service, a protocol, a source port, a destination port, a source address and a destination address of packets to be load balanced, wherein the number of bits may be fewer than that of the source address or the destination address and wherein the bit positions are not limited to being contiguous; causing, by a switching device, a plurality of firewall security devices within the network and operating as part of a cluster to enter into a load balancing mode by sending one or more control messages to the plurality of firewall security devices; responsive to receiving, by the switching device, a heartbeat signal on a port of a plurality of ports of the switching device from a firewall security device of the plurality of firewall security devices, including information regarding the firewall security device and the port into a load balancing table maintained by the switching device that maps a plurality of hash values or emulated hash values output by the load balancing function to the plurality of ports; receiving, by the switching device, a packet from a client device associated with the network; and forwarding, by the switching device, the packet to a firewall security device of the cluster by:
determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit positions of the number of bits within the packet;identifying a port of the plurality of ports to which the firewall security device is coupled based on the hash value or the emulated hash value and the load balancing table; andtransmitting the packet to the firewall security device via the identified port.