cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
884
Views
5
Helpful
3
Replies

SDWAN Service traffic routing using Centralized Policy

kay.kang
Level 1
Level 1

Hi,

We are using Zscaler cloud service through GRE tunnels and set default route using GRE route under the service vpn(vpn1), which is taken by client traffics on LAN side(service side) when goes to the Internet.

The GRE tunnel is established over Internet link(VPN0).

And, we have default route on transport side(VPN0) with NAT. 

Recently, we added a new system communicating with a cloud service in the Internet.

We want PCs to use GRE tunnels routing and want Client cloud GW to use normal default route.     

We're considering using Centralized data policy to achieve the goal as attached snapshot below.

What I am not sure with this solution is how the traffic coming from PCs will be routed if the cloud service traffic is handled by the centralized data policy.

Will the traffic be routed using the existing GRE default route? 8x8 routing.PNG

3 Replies 3

Dillon Stone
Level 1
Level 1

We are using Zscaler as well. We route to primary and backup GRE tunnels, then use a bypass filter for our services that need to bypass Zscaler and come from a static source address. So the basic statement on the vEdges is:

ip gre-route 0.0.0.0/0 vpn 0 interface gre3 gre1

It looks like what you are doing above will send them directly out to the internet.

 

Hey Dillon,

Nice one....I am also interested in this solution.

Could you perhaps show the bypass filter and related config please...if you dont mind

Ciao

JC

Sure thing....  

interface gre1
description Zscaler_Dallas
ip address 172.1.1.1.1/30
tunnel-source-interface ge0/1
tunnel-destination 165.225.216.22
mtu 1476
tcp-mss-adjust 1432
no shutdown
!
interface gre2
description Zscaler_Denver
ip address 172.1.1.4/30
tunnel-source-interface ge0/1
tunnel-destination 165.225.10.22
mtu 1476
tcp-mss-adjust 1432
no shutdown


vpn 10
name Service_VLAN
interface ge0/3.1000
description "Service Interface"
ip address 10.10.10.1/29
mtu 1496
no shutdown
!
ip gre-route 0.0.0.0/0 vpn 0 interface gre3 gre1

 

**Global Policy for all sites***

from-vsmart data-policy _Service_VPN_Zscaler_Bypass_Data_Policy
direction from-service
vpn-list Service_VPN
sequence 1
match
destination-data-prefix-list Zscaler-Bypass
action accept
nat use-vpn 0
no nat fallback
default-action


*for sites that filter access by IP address or have Zscaler issues*

from-vsmart lists data-prefix-list Zscaler-Bypass
ip-prefix 1.2.3.4/24
ip-prefix 2.2.3.5/32

Review Cisco Networking for a $25 gift card