cancel
Showing results for 
Search instead for 
Did you mean: 

MWG Network Topology - Traffic flows and failures

Currently have two McAfee Web Gateways that were purchased to provide web filtering for two LAN networks. The question is how to implement them into our topology. Inline is not an option. WCCP is what we would like to implement (this is our first implementation of WCCP). The concern is traffic flow from the LAN perspective in a MWG failure scenario. In a normal scenario, a requirement is to have all LAN 1 traffic use "Carrier 1" for Internet access and have all LAN 2 traffic use "Carrier 2" for Internet traffic. The issue is when traffic is redirected to a MWG, the traffic will use the default gateway of the MWG to make the request to the Internet. This is fine in normal a normal scenario since the MWG default gateway can be the router attached to whichever "Carrier" we want the traffic to use. However, what happens if one MWG fails? All traffic from both routers (if the service IDs are configured correctly) can be redirected to the functioning MWG but only use the carrier connected to its default gateway as the path the MWG will use for requests. There seems to be a number of ways to possibly balance traffic in a failure scenario from the router perspective but is there anyway to maintain the traffic flow so LAN and respective MWG proxy traffic will always use the same router as its gateway if one MWG fails? Hoping there is some way to accomplish this with the manipulation of WCCP, NIC Bonding (need to verify if this is possible) or some dynamic routing protocols (the MWG supports Quagga I believe). Anyone have any ideas?    

0 Kudos
7 Replies
eelsasser
Level 15

Re: MWG Network Topology - Traffic flows and failures

Is there any point in your network where RTR1 and RTR2 can talk to both carriers?

That is, all hosts use one default gateway address, but the router decides which carrier to use based on the host's IP address.

For example, at home I have one router connected to 2 ISPs (cable & DSL).

I can setup a policy route on my router to determine which PC uses which ISP.

There is a new feature in MWG 7.5.0 that lets you specify the Outbound.IP address on it.

I can have a rule that states if Client.IP is in range 192.168.0.0/24, the proxy sends it web request out its primary IP address (192.168.1.10)  to the default gateway (192.168.1.1).

I then have another rule that states if the Client.IP is in 192.168.2.0/24 send the traffic the default gateway using an alias IP of 192.168.1.11.

My router has a policy route that sends all traffic from source IP 192.168.1.10 to Cable and everything from source IP 192.168.1.11 to DSL. But the MWG still uses the single default gateway of 192.168.1.1.

0 Kudos

Re: MWG Network Topology - Traffic flows and failures

Thank you for the quick response. MWG version 7.5 supports some sort of policy based routing? Basically what you have stated is I can set up a policy on the MWG and force a specific gateway to be used for web requests based on the source IP (in this case LAN 1 or LAN 2). Is this accurate? Are you using WCCP for the redirection in your topology?

0 Kudos
eelsasser
Level 15

Re: MWG Network Topology - Traffic flows and failures

MWG doesn't do the policy routing to the router. It always sends to the single default GW. There is no avoiding that at all.

What i'm saying is that if that single default gateway on the router has a way to policy route based on the source IP (the MWG's ip address) you can configure the router to send to the correct carrier.

MWG 7.5.0 can send traffic from a specific source IP alias on the NIC based on the Client.IP of the user.

WCCP shouldn't matter. All internet traffic initiates a new TCP session from the MWGs IP address (or one of it's Outbound.IP addresses) even with WCCP.

Troja
Level 14

Re: MWG Network Topology - Traffic flows and failures

Hi all,

i implemented a solution in a 6000 user environment. We used WCCP.

First of all, load balancing and failover are default features of the WCCP protocol.

- Configure the WCCP configuration on the router. If no WCCP device (MWG) connects to the WCCP router no packets are redirected.

- Based on the Cicso Hardware you can define several ports per WCCP group.

- Important, different WCCP groups should be configured for UDP/TCP traffic.

- Afterwards configure the same WCCP groups with the same Ports on MWG.

- Activate WCCP on MWG

After activating WCCP MWG and Router are doing a "andshake" If this works, the router sends the traffic based on configuration to MWG.

- If one MWG fails, no problem. The WCCP router acknowledges this and redirecting the traffic to any available WCCP device. If any WCCP device is missing, the router automatically disables WCCP.

MWG forwards, as eelsasser told, any traffic to the configured default gateway. If you network environment is managing the carriers, everything is fine and you don´t have to configure anything else on MWG.

Some information when using WCCP

- Authentication is only possible with the "Try Authentication" ruleset. We implemented this in a POC at a customer and it worked fine.

- WCCP makes some load on the router. Keep this monitored.

Hope this helps,

Cheers

0 Kudos

Re: MWG Network Topology - Traffic flows and failures

Thanks for the explanation. I think the below topology will work but of course testing is needed. I can do policy based routing to a specific gateway address from a specific host address on the layer 3 switch. Then the layer 3 switch will use it’s own default gateway to the correct carrier. What configuration is needed on the MWG to make this work? Is the “source IP alias” configured anywhere else on the MWG?

0 Kudos
eelsasser
Level 15

Re: Re: MWG Network Topology - Traffic flows and failures

I think you got it.

Here's what i see according to your diagram:

MWG1:
IP Address: 192.168.1.5
Alias: 192.168.1.6
Default GW: 192.168.1.1

mwg1.png
MWG2:
IP Address: 192.168.1.13
Alias: 192.168.1.14
Default GW: 192.168.1.9

mwg2.png

Rules:

Forward Traffic
[✔] Enabled [✘] Disabled in Cloud
Applies to: [] Requests [] Responses [] Embedded Objects
Always
EnabledRuleActionEventsComments
[✔] Enabled MWG1: Outbound.IP
1: System.HostName equals "MWG1"
2: AND Client.IP is in range 10.10.20.0/24
ContinueEnable Outbound Source IP Override(192.168.1.6)
[✔] Enabled MWG2: Outbound.IP
1: System.HostName equals "MWG2"
2: AND Client.IP is in range 10.10.10.0/24
ContinueEnable Outbound Source IP Override(192.168.1.14)

Re: MWG Network Topology - Traffic flows and failures

Thank you! I believe you have cleared up some of my confusion. We will be testing hopefully this week. I will update on our progress once completed.

0 Kudos