LOAD BALANCING IN A NETWORK WITH SESSION INFORMATION
First Claim
1. A method comprising:
- maintaining, by a session-aware switching device, a session table, the session table including a plurality of session entries each of which represent a previously established traffic session by the session-aware switching device from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of a plurality of firewall security devices associated with the session-aware switching device;
receiving, at a first port of a plurality of ports of the session-aware switching device, a first data packet of a first traffic session from a client device directed to a target device;
determining, by the session-aware switching device, whether there exists among the plurality of session entries a matching session entry corresponding to the data packet by checking the session table; and
responsive to a negative determination;
using a load balancing function to select a firewall security device from among the plurality of firewall security devices to associate with the first traffic session and a second traffic session from the target device to the client device;
causing the data packet to be processed by the selected firewall security device; and
after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports of the session-aware switching device, installing a first session entry within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the session entry that associates the selected firewall security device with the second traffic session.
1 Assignment
0 Petitions
Accused Products
Abstract
Methods and systems for balancing load among firewall security devices are provided. According to one embodiment, a switch maintains a session table the session entries of which represent established traffic sessions between a source and a destination and form an association between the traffic session and a particular firewall security device (FSD). Responsive to receiving a packet of a first traffic session on a first port, a determination is made whether there exists a matching session entry. Responsive to a negative determination, a load balancing function is performed to select an FSD with which to associate the first traffic session and a corresponding reverse second traffic session. After processing of the packet by the selected FSD and receipt of the packet at a second port, a session entry is installed within the session table for the second traffic session and which associates the selected FSD with the second traffic session.
173 Citations
21 Claims
-
1. A method comprising:
-
maintaining, by a session-aware switching device, a session table, the session table including a plurality of session entries each of which represent a previously established traffic session by the session-aware switching device from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of a plurality of firewall security devices associated with the session-aware switching device; receiving, at a first port of a plurality of ports of the session-aware switching device, a first data packet of a first traffic session from a client device directed to a target device; determining, by the session-aware switching device, whether there exists among the plurality of session entries a matching session entry corresponding to the data packet by checking the session table; and responsive to a negative determination; using a load balancing function to select a firewall security device from among the plurality of firewall security devices to associate with the first traffic session and a second traffic session from the target device to the client device; causing the data packet to be processed by the selected firewall security device; and after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports of the session-aware switching device, installing a first session entry within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the session entry that associates the selected firewall security device with the second traffic session. - View Dependent Claims (2, 3, 4, 5, 6)
-
-
7. A computer-readable, non-transitory storage medium tangibly embodying a set of instructions, which when executed by one or more processors of a session-aware switching device, cause the one or more processors to perform a method for load balancing among a plurality of firewall security devices associated with the session-aware switching device, the method comprising:
-
receiving, at a first port of a plurality of ports of the session-aware switching device, a first data packet of a first traffic session from a client device directed to a target device; determining, by the session-aware switching device, whether there exists within a session table maintained by the session-aware switching device a matching session entry corresponding to the data packet by checking the session table, wherein the session table includes a plurality of session entries each of which represent a previously established traffic session by the session-aware switching device from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of the plurality of firewall security devices; responsive to a negative determination; causing the data packet to be processed by a selected firewall security device, wherein the selected firewall security device is determined based upon a load balancing function that associates the first traffic session and a second traffic session from the target device to the client device with the selected firewall security device; and after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports of the session-aware switching device, causing a first session entry to be installed within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the first session entry that associates the selected firewall security device with the second traffic session. - View Dependent Claims (8, 9, 10, 11, 12)
-
-
13. A switching device comprising:
-
a plurality of ports; a connecting unit coupled to the plurality of ports; one or more central processing units (CPUs) coupled to the connecting unit; a load balancing unit coupled to the connecting unit; a memory unit coupled to the load balancing unit, the memory unit having stored therein a session table, the session table including a plurality of session entries each of which represent a previously established traffic session from a particular source device to a particular destination device and each of which form an association between the previously established traffic session and a particular firewall security device of a plurality of firewall security devices associated with the switching device; wherein when a first data packet of a first traffic session from a client device directed to a target device is received at a first port of the plurality of ports, a determination is made by the memory unit whether there exists among the plurality of session entries a matching session entry corresponding to the data packet by checking the session table; and wherein responsive to a negative determination; the load balancing unit selects a firewall security device from among the plurality of firewall security devices to associate with the first traffic session and a second traffic session from the target device to the client device by performing a load balancing function; the connecting unit causes the data packet to be processed by the selected firewall security device; and after processing of the data packet by the selected firewall security device and responsive to receipt of the data packet at a second port of the plurality of ports, the load balancing unit installs a first session entry within the session table for the second traffic session with the target device identified as the particular source device and with the client device identified as the particular destination device and including information within the first session entry that associates the selected firewall security device with the second traffic session. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21)
-
Specification