Part 1: Cisco SDWAN with Zscaler as SIA

Cisco SDWAN with Zscaler as Secure Internet Access

We are going to talk about secure local internet breakout by combining Cisco SD-WAN with Zscaler. The network administrator can choose which traffic to forward to Zscaler utilizing GRE or IPSec tunnels when using Cisco SD-WAN.

Let us suppose now that Cisco SD-WAN network with two transports (MPLS and internet) and SDWAN controllers accessible via the internet cloud. A data center facility is displayed with two branch sites. For corporate traffic, SD-WAN fabric (IPSec) tunnels are constructed between each WAN Edge router at each site.

Cisco SDWAN with Zscaler as SIA
Fig 1.1- Cisco SDWAN with Zscaler as SIA

In order to access the internet and SaaS applications, each branch router builds a pair of GRE or IPSec tunnels to the ZIA Public Service Edge. The SD-WAN overlay can be used over MPLS to access the internet if the local internet transport fails.

Up to four pairs of active/standby IPSec tunnels can be configured automatically with Cisco SD-WAN vManage 20.6 and Cisco IOS XE SD-WAN 17.6.

IPSec auto tunnels with L7 health checking are available for Cisco IOS XE SD-WAN routers with Zscaler IPSec. In version 20.6 of Cisco SD-WAN vManage and version 17.6 of Cisco IOS XE SD-WAN, Cisco IOS XE SD-WAN can support automatic IPSec Zscaler tunnel health checks.

Zscaler Tunnels
When internet traffic initially passes via the ZIA Public Service Edge, Zscaler supports both Generic Routing Encapsulation (GRE) and Internet Protocol Security (IPSec) tunnels from edge devices.

GRE packets cannot be translated by Port Address Translation (PAT) devices because GRE is a protocol without source or destination ports. Static or dynamic NAT can convert the source IP address of a GRE packet. One IP address is translated by NAT into one publicly routable IP address. This is due to the fact that no ports must be mapped.

Encapsulating Security Payload (ESP), another protocol without ports and inaccessible to PAT devices, is used in an IPSec packet. NAT traversal (NAT-T) can be used to transit packets for IPSec communication. During the ISAKMP exchange, Nat-Discovery packets are exchanged if NAT-T is supported by both ends of the IPSec connection.

In the Zscaler cloud, GRE tunnels offer a greater throughput than IPSec tunnels. Depending on the Zscaler cloud and ZIA Public Service Edge you are connected to, different bandwidths may be supported.

Zscaler Active/Standby Tunnel
You can deploy tunnels using either GRE or IPSec in the case where we have two links (the Internet and MPLS), but you cannot utilize both at the same time. Traffic is routed or directed by policy to Zscaler through the active tunnels. 

Standby tunnels are fully functional and available. But until the appropriate active tunnel pair partner is marked down or goes above the L7 health checks' delay threshold, traffic isn't sent across these standby tunnels.

Equal-Cost Multi-Path

Active/active tunnel deployment is possible at locations with a single or two internet connections. Traffic is transferred to one of the available tunnels if a current tunnel becomes inaccessible or exceeds the latency threshold.

In the hybrid mode, traffic can still use the default route via the SD-WAN overlay and proceed through the third link MPLS transport to the data center if both the Internet transports goes down or if all tunnels over the Internet transport exceed the latency thresholds.

Through an on-premises Secure Internet Gateway (SIG) tunnel that originates from the data center hub router, traffic may reach the internet. In either arrangement, traffic can fall back to the data center across the SD-WAN overlay if the ZIA Public Service Edge is no longer accessible.

Data Traffic Flow

There are two ways to route user traffic to the tunnel after the GRE or IPSec tunnels have been established and turned on.

  • Cisco SDWAN adds a service route with a next hop pointing to the SIG service so that it may rely on destination-based routing in the absence of a static route.
  • With a centralized data policy that enables you to send desired traffic to the SIG service, you may alter the traffic supplied to the Zscaler service based on prefix-lists and applications lists.
Other Articles you may interested in:
Cisco SDWAN: vManage as Management Plane - The Network DNA
vBond in Cisco Viptela SDWAN - The Network DNA
Cisco Viptela SD-WAN : vSmart as a Control Plane - The Network DNA
Cisco SDWAN Resources - The Network DNA