Cisco WAN Failover triggers more restrictive Web Filtering?

Discussion in 'Cisco' started by Wally, Oct 3, 2008.

  1. Wally


    Oct 3, 2008
    Likes Received:
    This is my first posting

    We have dual WAN links to two ISP's, with failover being achieved with a simple SLA monitor. However, the links are unequally sized (primary = 2 x E1 Multilinked over fibre, secondary = 512kbps via VSAT, and although all internet traffic is filtered using Websense, on failover everything comes screeching to a halt due to the limited bandwidth.

    Ideally I would like to be able to dynamically change the Websense Policies, making them highly restrictive (business use only), on detection of the failover. However, I have spoken to Websense and they tell me this is currently not an option.

    Can anyone offer any suggestions (not necessarily involving Websense)??

    Our setup is as follows:

    Cisco2811 (intervlan routing / ip helper) > Cisco Pix 525e A/A Pair > Cisco2811 internet router (this is where connectivity to the ISP's takes place and SLA monitor)

    Our Websense server sits on a subnet attached to the InterVLAN router, and most filtering is done based on AD group membership.

    Websense can also filter based on IP / Network address, so one thought I did have was is it possible to implement policy based NAT'ing on the internal router using an SLA monitor identical to the one defined on the internet router? During steady state all traffic would be routed to the websense server using the actual ip address of the client with all filtering decisions based on the users AD group membership. On failover all traffic would be NAT'd before being routed to the Websense server, with a highly restrictive policy associated with that network address (with block pages informing users of the failover blah blah blah).

    Any suggestions would be greatly appreciated
    Wally, Oct 3, 2008
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.