I have a hosted service (think zScalerā¢) that is having me send my traffic to it via GRE tunnels. I am given two appliances and want to load balance my traffic between the two tunnels.
I could always statically carve out the network but I would rather not do that.
My proposed solution is that I could create two equal cost routes between the two tunnels but wouldn't this balance on a per-packet basis. Therefore some of the stream would go through one tunnel and some through another. I want to avoid this since it makes troubleshooting difficult, will cause issues with the appliances tracking connections, and will likely caues issues with SSL inspection.
Is there a way, either appliance based or otherwise (I own the security equipment and can stand a load balancer up in front of it) to balance GRE tunnels based on the source IP of the originating client? Therefore client X always goes through GRE tunnel A and client Y goes through GRE tunnel B.
My networking equipment is standard Cisco L3 Switches and ASAs.
Best Answer
Using packet based equal cost balancing does not work with GRE as it will introduce reordering in the packet streams and break them. You seem to actually want a conntrack-based multipath routing which can be easily configured on any linux-based router/firewall. Multipath routing based on IP addresses is even simpler in configuration.