1

I have a hosted service (think zScalerā„¢) that is having me send my traffic to it via GRE tunnels. I am given two appliances and want to load balance my traffic between the two tunnels.

I could always statically carve out the network but I would rather not do that.

My proposed solution is that I could create two equal cost routes between the two tunnels but wouldn't this balance on a per-packet basis. Therefore some of the stream would go through one tunnel and some through another. I want to avoid this since it makes troubleshooting difficult, will cause issues with the appliances tracking connections, and will likely caues issues with SSL inspection.

Is there a way, either appliance based or otherwise (I own the security equipment and can stand a load balancer up in front of it) to balance GRE tunnels based on the source IP of the originating client? Therefore client X always goes through GRE tunnel A and client Y goes through GRE tunnel B.

My networking equipment is standard Cisco L3 Switches and ASAs.

TheAdmin8978234
  • 11
  • 3

1 Answers1

0

Using packet based equal cost balancing does not work with GRE as it will introduce reordering in the packet streams and break them. You seem to actually want a conntrack-based multipath routing which can be easily configured on any linux-based router/firewall. Multipath routing based on IP addresses is even simpler in configuration.

grandrew
  • 265
  • 1
  • 4
  • 9