Packet Dispatch mode and how it works

In Packet Dispatch mode, the node selected as the dispatcher on the physical interface assigns the packets to itself or to some other node. The assigned node then handles the actual resource-intensive traffic processing. The dispatcher attempts to balance the nodes’ loads evenly, but assigns all packets that belong to the same connection to the same node. The node that acts as the packet dispatcher can be different for CVIs on different physical interfaces. The following illustration shows an example of how packet dispatch handles a connection.

Figure: Packet Dispatch CVI Mode

1

The dispatcher node for CVI 1 receives a new packet.

2

The dispatcher node either handles the packet itself or dispatches the packet to one of the other firewall nodes for processing according to the load-balancing filter. The packet is sent to the other node through the interface the packet arrived from.

3

The dispatcher node for CVI 2 forwards the replies within the open connection to the same node.

One node is responsible for handling each connection. The node responsible for the connection handles all resource-consuming tasks: it determines if the connection is allowed to continue, translates addresses as necessary, and logs the connection.

The dispatcher node controls the CVI’s IP address and MAC address. The other nodes use their own physical interface’s MAC address for the same CVI. When the dispatcher node goes offline, one of the other nodes becomes the dispatcher node. The new dispatcher node changes its interface’s MAC address to the address defined for the Packet Dispatch CVI.

The network switch must update its address table without significant delay when the packet dispatcher MAC address is moved to another firewall node. This operation is a standard network addressing operation where the switch learns that the MAC address is located behind a different switch port. Then, the switch forwards traffic destined to the CVI address to this new packet dispatcher.