Bandwidth Control and Z-Tunnel 2.0


Currently we send Z-Tunnel2.0 traffic via GRE (we’ve been told this is no longer recommended). We’d like to bypass GRE for any Z-Tunnel2.0 traffic (anything that’s encapsulated into ZT2.0 will be sent directly into Internet). So, how does this impact Bandwidth Control for the location?

Is Zscaler going to honor ZT2.0 source IP address (NAT’ed using the same IP as GRE endpoint configured as Static IP under specific location) and will apply that location’s bandwidth control policy? Or, is it going to treat these ZTunnels as if they are Road Warriors (with unknown location)?

Many thanks

Hi @yakuza . The Zscaler Service Edge will honor Bandwidth Control policies based on known locations that have a Bandwidth Control policy applied.

So as long as the traffic is sourced from a location that is registered and Bandwidth Control is enabled on that location, then Bandwidth Control will be effective. This holds true to traffic that is using PAC, ZT1, ZT2, VPN or GRE to reach the Service Edge.

You are correct to say that Bandwidth Control will not be applied to traffic that is coming from an unknown location.


Thanks @racingmonk ! So, you are saying that this is perfectly fine and that as long as Z-Tunnel2.0 is sourced from a ‘known aka registered’ public IP address, then all ZT2.0 flows (from multiple users) and GRE traffic will be combined/aggregated before bandwidth control will be applied to that location?

I hope I’ve got it right

Yes, essentially what I am saying is the the Bandwidth Control policing - queueing of upload / downloads for different Bandwidth Classes will apply for a Known Location regardless of the traffic forwarding method used and the amount of users coming from that known location.

1 Like