|Currently have two McAfee Web Gateways that were purchased to provide web filtering for two LAN networks. The question is how to implement them into our topology. Inline is not an option. WCCP is what we would like to implement (this is our first implementation of WCCP). The concern is traffic flow from the LAN perspective in a MWG failure scenario. In a normal scenario, a requirement is to have all LAN 1 traffic use "Carrier 1" for Internet access and have all LAN 2 traffic use "Carrier 2" for Internet traffic. The issue is when traffic is redirected to a MWG, the traffic will use the default gateway of the MWG to make the request to the Internet. This is fine in normal a normal scenario since the MWG default gateway can be the router attached to whichever "Carrier" we want the traffic to use. However, what happens if one MWG fails? All traffic from both routers (if the service IDs are configured correctly) can be redirected to the functioning MWG but only use the carrier connected to its default gateway as the path the MWG will use for requests. There seems to be a number of ways to possibly balance traffic in a failure scenario from the router perspective but is there anyway to maintain the traffic flow so LAN and respective MWG proxy traffic will always use the same router as its gateway if one MWG fails? Hoping there is some way to accomplish this with the manipulation of WCCP, NIC Bonding (need to verify if this is possible) or some dynamic routing protocols (the MWG supports Quagga I believe). Anyone have any ideas?|
Is there any point in your network where RTR1 and RTR2 can talk to both carriers?
That is, all hosts use one default gateway address, but the router decides which carrier to use based on the host's IP address.
For example, at home I have one router connected to 2 ISPs (cable & DSL).
I can setup a policy route on my router to determine which PC uses which ISP.
There is a new feature in MWG 7.5.0 that lets you specify the Outbound.IP address on it.
I can have a rule that states if Client.IP is in range 192.168.0.0/24, the proxy sends it web request out its primary IP address (192.168.1.10) to the default gateway (192.168.1.1).
I then have another rule that states if the Client.IP is in 192.168.2.0/24 send the traffic the default gateway using an alias IP of 192.168.1.11.
My router has a policy route that sends all traffic from source IP 192.168.1.10 to Cable and everything from source IP 192.168.1.11 to DSL. But the MWG still uses the single default gateway of 192.168.1.1.
Thank you for the quick response. MWG version 7.5 supports some sort of policy based routing? Basically what you have stated is I can set up a policy on the MWG and force a specific gateway to be used for web requests based on the source IP (in this case LAN 1 or LAN 2). Is this accurate? Are you using WCCP for the redirection in your topology?
MWG doesn't do the policy routing to the router. It always sends to the single default GW. There is no avoiding that at all.
What i'm saying is that if that single default gateway on the router has a way to policy route based on the source IP (the MWG's ip address) you can configure the router to send to the correct carrier.
MWG 7.5.0 can send traffic from a specific source IP alias on the NIC based on the Client.IP of the user.
WCCP shouldn't matter. All internet traffic initiates a new TCP session from the MWGs IP address (or one of it's Outbound.IP addresses) even with WCCP.
i implemented a solution in a 6000 user environment. We used WCCP.
First of all, load balancing and failover are default features of the WCCP protocol.
- Configure the WCCP configuration on the router. If no WCCP device (MWG) connects to the WCCP router no packets are redirected.
- Based on the Cicso Hardware you can define several ports per WCCP group.
- Important, different WCCP groups should be configured for UDP/TCP traffic.
- Afterwards configure the same WCCP groups with the same Ports on MWG.
- Activate WCCP on MWG
After activating WCCP MWG and Router are doing a "andshake" If this works, the router sends the traffic based on configuration to MWG.
- If one MWG fails, no problem. The WCCP router acknowledges this and redirecting the traffic to any available WCCP device. If any WCCP device is missing, the router automatically disables WCCP.
MWG forwards, as eelsasser told, any traffic to the configured default gateway. If you network environment is managing the carriers, everything is fine and you don´t have to configure anything else on MWG.
Some information when using WCCP
- Authentication is only possible with the "Try Authentication" ruleset. We implemented this in a POC at a customer and it worked fine.
- WCCP makes some load on the router. Keep this monitored.
Hope this helps,
Thanks for the explanation. I think the below topology will work but of course testing is needed. I can do policy based routing to a specific gateway address from a specific host address on the layer 3 switch. Then the layer 3 switch will use it’s own default gateway to the correct carrier. What configuration is needed on the MWG to make this work? Is the “source IP alias” configured anywhere else on the MWG?
I think you got it.
Here's what i see according to your diagram:
IP Address: 192.168.1.5
Default GW: 192.168.1.1
IP Address: 192.168.1.13
Default GW: 192.168.1.9
|[✔] Enabled [✘] Disabled in Cloud|
Applies to: [✔] Requests [✘] Responses [✘] Embedded Objects
Thank you! I believe you have cleared up some of my confusion. We will be testing hopefully this week. I will update on our progress once completed.