LOAD BALANCING AMONG A CLUSTER OF FIREWALL SECURITY DEVICES
First Claim
1. A method of gracefully handling an imminent shutdown of a first active cluster unit of a plurality of cluster units of a high availability (HA) cluster of firewall security devices associated with a private Internet Protocol (IP) network, the method comprising:
- configuring, by a network switching device coupled to the HA cluster, a load balancing function implemented by the network switching device based on information received from a network administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) corresponding contiguous or non-contiguous bit positions within a header of a packet;
maintaining, by the network switching device, a load balancing table that forms associations between hash values or emulated hash values output by the load balancing function and corresponding ports of a plurality of ports of the network switching device to which the plurality of cluster units are coupled, wherein the first active cluster unit is coupled to a first port of the plurality of ports;
responsive to receiving, by the network switching device, an indication from the first active cluster unit regarding the imminent shutdown of the first active cluster unit;
selecting, by the network switching device, a second cluster unit of the plurality of cluster units, coupled to a second port of the plurality of ports, to perform security services on traffic sessions for which the security services are currently being performed by the first active cluster unit; and
updating, by the network security device, the load balancing table by replacing a reference to the first port with a reference to the second port for those of the associations between one or more of the hash values or emulated hash values and the first port;
receiving, by the network switching device, network traffic; and
directing, by the network switching device, the network traffic to appropriate cluster units of the plurality of cluster units by;
determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit positions of the number of bits within headers of packets of the network traffic;
identifying a port of the plurality of ports to which an appropriate cluster unit of the plurality of cluster units is coupled based on the determined hash value or the determined emulated hash value and the load balancing table; and
passing the network traffic to the appropriate cluster unit via the identified port, whereby security services for network traffic associated with the traffic sessions is performed by the second cluster unit.
0 Assignments
0 Petitions
Accused Products
Abstract
A method for balancing load among firewall security devices (FSDs) is provided. According to one embodiment, imminent shutdown of a first cluster unit of an HA cluster of FSDs is gracefully handled by a switching device. A load balancing (LB) table, forming associations between hash values output by the LB function and corresponding ports of the switching device to which the cluster units are coupled, is maintained. The first cluster unit is coupled to a first port. Responsive to imminent shutdown of the first cluster unit: (i) a second cluster unit, coupled to a second port, is selected to perform security services on traffic sessions handled by the first cluster unit; and (ii) the LB table is updated by replacing reference(s) to the first port with reference(s) to the second port. Security services for subsequently received network traffic associated with the traffic sessions is performed by the second cluster unit.
58 Citations
20 Claims
-
1. A method of gracefully handling an imminent shutdown of a first active cluster unit of a plurality of cluster units of a high availability (HA) cluster of firewall security devices associated with a private Internet Protocol (IP) network, the method comprising:
-
configuring, by a network switching device coupled to the HA cluster, a load balancing function implemented by the network switching device based on information received from a network administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) corresponding contiguous or non-contiguous bit positions within a header of a packet; maintaining, by the network switching device, a load balancing table that forms associations between hash values or emulated hash values output by the load balancing function and corresponding ports of a plurality of ports of the network switching device to which the plurality of cluster units are coupled, wherein the first active cluster unit is coupled to a first port of the plurality of ports; responsive to receiving, by the network switching device, an indication from the first active cluster unit regarding the imminent shutdown of the first active cluster unit; selecting, by the network switching device, a second cluster unit of the plurality of cluster units, coupled to a second port of the plurality of ports, to perform security services on traffic sessions for which the security services are currently being performed by the first active cluster unit; and updating, by the network security device, the load balancing table by replacing a reference to the first port with a reference to the second port for those of the associations between one or more of the hash values or emulated hash values and the first port; receiving, by the network switching device, network traffic; and directing, by the network switching device, the network traffic to appropriate cluster units of the plurality of cluster units by; determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit positions of the number of bits within headers of packets of the network traffic; identifying a port of the plurality of ports to which an appropriate cluster unit of the plurality of cluster units is coupled based on the determined hash value or the determined emulated hash value and the load balancing table; and passing the network traffic to the appropriate cluster unit via the identified port, whereby security services for network traffic associated with the traffic sessions is performed by the second cluster unit. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. A non-transitory computer-readable storage medium readable by one or more processors of a network switching device coupled to a high availability (HA) cluster of firewall security devices associated with a private Internet Protocol (IP) network, the computer-readable storage medium embodying a set of instructions executable by the one or more processors to perform a method of gracefully handling an imminent shutdown of a first active cluster unit of the plurality of cluster units, the method comprising:
-
configuring a load balancing function implemented by the network switching device based on information received from a network administrator indicative of (i) a number of bits to be used as an input to the load balancing function and (ii) corresponding contiguous or non-contiguous bit positions within a header of a packet; maintaining a load balancing table that forms associations between hash values or emulated hash values output by the load balancing function and corresponding ports of a plurality of ports of the network switching device to which the plurality of cluster units are coupled, wherein the first active cluster unit is coupled to a first port of the plurality of ports; responsive to receiving an indication from the first active cluster unit regarding the imminent shutdown of the first active cluster unit; selecting a second cluster unit of the plurality of cluster units, coupled to a second port of the plurality of ports, to perform security services on traffic sessions for which the security services are currently being performed by the first active cluster unit; and updating the load balancing table by replacing a reference to the first port with a reference to the second port for those of the associations between one or more of the hash values or emulated hash values and the first port; receiving network traffic; and directing the network traffic to appropriate cluster units of the plurality of cluster units by; determining a hash value or an emulated hash value by applying the load balancing function to values associated with the bit positions of the number of bits within headers of packets of the network traffic; identifying a port of the plurality of ports to which an appropriate cluster unit of the plurality of cluster units is coupled based on the determined hash value or the determined emulated hash value and the load balancing table; and passing the network traffic to the appropriate cluster unit via the identified port, whereby security services for network traffic associated with the traffic sessions is performed by the second cluster unit. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
-
Specification