Internet Break out

sd-wan
ipsec
gre

(Rajeev Srikant) #1

My scenario is below.

I have a branch location where i have a Router/SD-WAN device.
I will be using local internet breakout. I have below set of network.

Network A - Company 1 (Zscaler Account A)
Network B - Company 2 (Zscaler Account B)
Network C - Company 3 (Zscaler Account C)

2 ISPs - Each ISP Global static IP Address.

For all these network I need to have local internet break out.
For each group company network need to have separate GRE tunnel with Zscaler.
Each group company will have separate policies since they use different account of Zscaler
Query:
Is it possible to create multiple GRE tunnel for each network (Source IP & Destination Zscaler IP will be the same) ?

How to associate the GRE tunnel with the Zscaler account.

GRE Tunnel for Network A should use Zscaler Account A
GRE Tunnel for Network B should use Zscaler Account B
GRE Tunnel for Network C should use Zscaler Account C

Let me know if this is possible.


(Rajeev Srikant) #2


(Manoj Apte) #3

As far as I know, that is possible today only if you

  1. You can send the GRE from a different source IP for each company. (You could do that by having a NAT pool on the router and using a different IP based on the VRF … assuming the users are on independent subnets).
  2. have the different companies on different clouds on Zscaler.

Manoj


(Rajeev Srikant) #4

Thanks.
Since the public IP is 1 , i need to use the same IP address. Only 1 source IP address.
Even in this case will i be able to map different users on independent subnets to different account in Zscaler ?
Is this possible ?


(Nick Morgan) #5

Certainly you cannot register the same source IP address in 3 separate zscaler accounts on the same Zscaler cloud. Since GRE requires a fixed sourced IP then GRE will not be appropriate.

If the router/SDWAN solution supports multiple IPSec VPN tunnels from the same source ip to the same destination ip/hostname it might be possible by using FQDN/aggressive mode IPSec vpn tunnels (for each of your subnets), although this is not something I have tested.


(Rajeev Srikant) #6

understood that GRE is not the option & IPSec in the recommended.
In my scenario, what is the recommended.

3 networks they dont talk to each other. Need internet break out for these 3 network.
They below to 3 different group company but located in the same location behind 1 SD-WAN.
1 global IP as the SD-WAN interface.

My understanding is below

  1. IPSec tunnel to Zscaler. 3 networks to have individual IP Sec tunnel.
  2. How the segregation happens so that network A uses Zscaler profile A, B uses Zscaler profile B …
    Does it happens based on domain ? or any other configuration.

I am not clear since, all the 3 network reaches Zscaler through internet break out.
After this how the segregation happens in terms of Network A users are contacting account 1 of Zscaler & netwrk B users are contactig account 2 of Zscaler


(Nick Morgan) #7

I’d recommend liaising with your local Zscaler sales team, and SDWAN supplier in order to test whether this your requirements can be met.


(Rajeev Srikant) #8

ok sure .
got it will do it.