Configuring GRE tunnels
April 17, 2024
ID 205379
Prerequisites for configuring GRE tunnels
- GRE keepalive must be disabled.
- Traffic in the tunnel must be symmetric.
- Traffic is transmitted over only one tunnel at any point in time.
- Tunnels must be terminated at IP addresses that are not included in the switched PI subnet pool. It is recommended to terminate tunnels at PA addresses /30 of the provider's network for BGP peering.
Description
GRE tunnels are configured with a Full Mesh topology (each Customer channel connects to each Kaspersky DDoS Protection Scrubbing Center). Traffic is transmitted over only one tunnel at any point in time. The other tunnels are necessary to ensure fault tolerance.
For this reason, you must make sure that the volume of traffic sent to the Scrubbing Center does not exceed the capacity of each communication channel. It is preferable that each communication channel have a capacity 30% larger than the average volume of traffic sent to the Scrubbing Center. This is necessary to preserve stable availability of the Protected resource when there are surges of traffic.
Clean traffic from the Scrubbing Center will pass through these tunnels. Traffic in a tunnel must be symmetric, which means that the outbound traffic of Protected resources must also return through the same tunnel.
