Load balancing in a network with session information
Abstract
Methods and systems for balancing load among firewall security devices (FSDs) are provided. According to one embodiment, service group and VLAN associations are stored within a switching device for each front panel port and for each fabric slot of the switching device. Each of multiple FSDs providing security services for a protected network are coupled with a fabric slot. When a packet is received, the switching device: (i) tags the packet based on a VLAN ID corresponding to the VLAN to which front panel port on which it was received is assigned; (ii) identifies the service group based on the VLAN ID; (iii) selects a slot within the identified service group and thereby selects an FSD to associate with the forward traffic session and a corresponding reverse traffic session by performing a load balancing function on the packet; and (iv) causes the packet to be processed by the selected FSD.
Claims
exact text as granted — not AI-modifiedWhat is claimed is:
1 . A method comprising:
storing, within a switching device associated with a protected network, information regarding service group and Virtual Local Area Network (VLAN) associations for each of a plurality of front panel ports of the switching device and for each of a plurality of fabric slots of the switching device, wherein each service group of a plurality of service groups includes a set of one or more of a plurality of VLANs and each of the plurality of front panel ports is assigned to a VLAN of the plurality of VLANs, wherein each service group includes a set of one or more slots of the plurality of fabric slots and wherein each of a plurality of firewall security devices providing security services for the protected network are to be coupled with one of the plurality of fabric slots; and responsive to receiving, at a first front panel port of the plurality of front panel ports, a first packet of a forward traffic session from a source device coupled to the first front panel port and directed to a target device coupled to a second front panel port of the plurality of front panel ports:
tagging, by the switching device, the first packet of the forward traffic session based on a VLAN identifier (VLAN ID) corresponding to the VLAN of the plurality of VLANs to which the first front panel port is assigned;
identifying, by the switching device, the service group of the plurality of service groups in which the VLAN is included;
selecting, by a load balancing control unit of the switching device, a slot of the set of one or more slots within the identified service group and thereby selecting a firewall security device from among the plurality of firewall security devices to associate with the forward traffic session and a corresponding reverse traffic session from the target device to the source device by performing a load balancing function on at least a portion of the first packet of the forward traffic session; and
causing the first packet of the forward traffic session to be processed by the selected firewall security device by redirecting the first packet of the forward traffic session to the selected slot.
2 . The method of claim 1 , further comprising maintaining, by the switching device, session data including a plurality of session entries each of which represent a previously observed traffic session by the switching device from a particular source device to a particular destination device and each of which form an association between the previously observed traffic session and a particular firewall security device of the plurality of firewall security devices.
3 . The method of claim 2 , wherein the first packet of the forward traffic session comprises a TCP synchronize (SYN) packet.
4 . The method of claim 3 , further comprising:
responsive to said receiving, reducing vulnerability of the switching device to a TCP SYN flooding attack, by the switching device, by foregoing installation of a forward session entry for the forward traffic session within the session data; and responsive to receipt from the selected firewall security device the processed TCP SYN packet: installing, by the switching device, a reverse session entry for the corresponding reverse traffic session within the session data with the target device identified as the particular source device and with the source device identified as the particular destination device; and transmitting the processed TCP SYN packet to the target device via the second port.
5 . The method of claim 1 , wherein the plurality of session entries contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source port number, a destination port number and a corresponding VLAN ID.
6 . The method of claim 5 , wherein the source port number and the destination port number comprise a TCP port number, a User Datagram Protocol (UDP) port number or a layer 4 port number.
7 . A non-transitory computer-readable storage medium embodying a set of instructions, which when executed by one or more processors of a switching device associated with a protected network, cause the one or more processors to perform a method for load balancing among a plurality of firewall security devices performing security services on behalf of the protected network, the method comprising:
storing information regarding service group and Virtual Local Area Network (VLAN) associations for each of a plurality of front panel ports of the switching device and for each of a plurality of fabric slots of the switching device, wherein each service group of a plurality of service groups includes a set of one or more of a plurality of VLANs and each of the plurality of front panel ports is assigned to a VLAN of the plurality of VLANs, wherein each service group includes a set of one or more slots of the plurality of fabric slots and wherein each of a plurality of firewall security devices providing security services for the protected network are to be coupled with one of the plurality of fabric slots; and responsive to receiving, at a first front panel port of the plurality of front panel ports, a first packet of a forward traffic session from a source device coupled to the first front panel port and directed to a target device coupled to a second front panel port of the plurality of front panel ports:
tagging the first packet of the forward traffic session based on a VLAN identifier (VLAN ID) corresponding to the VLAN of the plurality of VLANs to which the first front panel port is assigned;
identifying the service group of the plurality of service groups in which the VLAN is included;
selecting a slot of the set of one or more slots within the identified service group and thereby selecting a firewall security device from among the plurality of firewall security devices to associate with the forward traffic session and a corresponding reverse traffic session from the target device to the source device by performing a load balancing function on at least a portion of the first packet of the forward traffic session; and
causing the first packet of the forward traffic session to be processed by the selected firewall security device by redirecting the first packet of the forward traffic session to the selected slot.
8 . The non-transitory computer-readable storage medium of claim 7 , wherein the method further comprises maintaining session data including a plurality of session entries each of which represent a previously observed traffic session by the switching device from a particular source device to a particular destination device and each of which form an association between the previously observed traffic session and a particular firewall security device of the plurality of firewall security devices.
9 . The non-transitory computer-readable storage medium of claim 8 , wherein the first packet of the forward traffic session comprises a TCP synchronize (SYN) packet.
10 . The non-transitory computer-readable storage medium of claim 9 , wherein the method further comprises:
responsive to said receiving, reducing vulnerability of the switching device to a TCP SYN flooding attack by foregoing installation of a forward session entry for the forward traffic session within the session data; and responsive to receipt from the selected firewall security device the processed TCP SYN packet: installing a reverse session entry for the corresponding reverse traffic session within the session data with the target device identified as the particular source device and with the source device identified as the particular destination device; and transmitting the processed TCP SYN packet to the target device via the second port.
11 . The non-transitory computer-readable storage medium of claim 7 , wherein the plurality of session entries contain information regarding a source Internet Protocol (IP) address, a destination IP address, a protocol field, a source port number, a destination port number and a corresponding VLAN ID.
12 . The non-transitory computer-readable storage medium of claim 11 , wherein the source port number and the destination port number comprise a TCP port number, a User Datagram Protocol (UDP) port number or a layer 4 port number.Join the waitlist — get patent alerts
Track US2016294866A1 — get alerts on status changes and closely related new filings.
We store only your email — no account needed. See our privacy policy.