It may be desirable to provide a network application service by bundling multiple application nodes to achieve high scalability. Each application node (i.e., an appliance form factor or service module) may run an identical policy suite and maintain a coherent running state. By clustering application nodes, it may be possible to aggregate the resources of the cluster to accommodate heavier system load. For example, an application cluster including n-active nodes may achieve close-to-nX performance. The application cluster may be provided between a remote client and server. In some implementations, the application cluster may provide a network application service such as a firewall, for example. Network traffic flowing between the remote client and server may be intercepted by the application cluster and inspected by one of the application nodes before a service is performed on the network traffic. When the network application service is a firewall, the application node may enforce security rules and either forward or drop the intercepted packet, for example.
The application nodes may be bundled using a port channel for network traffic. In a port channel, a plurality of network ports are bundled into a group (i.e., a single logical port channel), which provides increased bandwidth and redundancy. The port channel remains operational as long as a single network port within the port channel is operational. In addition, a hashing algorithm may be used to determine which network port within the port channel should receive the packet. It is also possible to provide load-balancing among the application nodes using the hashing algorithm.
Many network application services require incoming and return packets for the same TCP session to be handled by the same application node. This is known as symmetric flow persistence. To ensure symmetric flow persistence, the application nodes may designate a control link VLAN for accommodating control traffic (i.e., communication among member nodes) such as packet forwarding, flow state replication, etc. In other words, the port channel may accommodate the network traffic flowing between the remote client and server and the control link VLAN may accommodate the control traffic flowing among the member nodes. When a control link VLAN is provided in addition to the port channel, each application node divides the available network resources at the network interface controller (NIC). In particular, the available bandwidth is allocated between the port channel and the control link VLAN. However, it is difficult to allocate the proper amount of bandwidth to the control link VLAN because many factors contribute to how much control traffic flows among the member nodes. If too much bandwidth is allocated to the control link VLAN, the total available bandwidth is underutilized. On the other hand, if too little bandwidth is allocated, the control link VLAN becomes saturated, which degrades the effective bandwidth of the cluster. In addition, when each application node includes a link within the port channel and a link within the control link VLAN, each application node is more susceptible to failure because failure may result from failure of either link.