Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Breakout and Breakout Profiles Overview

 

Site-to-site traffic between spoke sites of a tenant is sent (on overlay tunnels) directly from one site to another depending on the tenant topology or through the hub or gateway site. However, for Internet-bound or Software as a Service (SaaS) traffic, you can break out the traffic in different ways:

  • Local breakout—The traffic exits the VPN directly at the site and goes to the destination.

  • Backhaul or central breakout—The traffic exits the VPN at the cloud hub or at the gateway site (if a gateway site is associated with the spoke site) and then goes to the destination.

  • Cloud breakout—The traffic is sent from the site to a designated cloud-based security platform instead of traffic being sent over an underlay.

    Note

    In CSO Release 4.1.0, Zscaler is the only cloud-based security platform supported.

In CSO Release 4.0, only local breakout and central breakout (backhaul) are supported and the breakout option is enabled only at the site level. However, from CSO Release 4.1.0 onward, breakout is supported at the site, department, and application (cacheable only) levels by using breakout profiles that are applied using SD-WAN policy intents. Non-cacheable applications follow the site-specific or department-specific behavior as configured in the SD-WAN policy intent.

Note

For sites added in CSO Release 4.1.0 onward, you cannot configure breakout directly at the site level and must use breakout profiles referenced in SD-WAN policy intents for this purpose.

Breakout Profiles

The following three types of breakout profiles are supported in CSO:

  • Local breakout (underlay)

  • Backhaul (central breakout)

  • Cloud breakout

After you add a breakout profile, you must create an SD-WAN policy intent specifying the source (site, site group, or department) and application and the applicable breakout profile.

SD-WAN Policy Intents for Breakout and Precedence

For SD-WAN policy intents configured at different source endpoints, the following is applicable:

  • Site—A policy intent configured at the site level applies to all the departments within the site. In addition, by default, the site-level configuration is also applicable to all applications because the default configuration for applications is Any.

  • Department—A policy intent configured at the department level (for tenants with network segmentation enabled) overrides the policy intent configured at the site level. Similar to the behavior for the site-level policy intent, by default, a department-level policy intent is also applicable to all applications because the default configuration for applications is Any.

  • Application (cacheable only)—A policy intent (at the application level) where you specify one or more cacheable applications overrides the policy intent specified at either the department level or the site level only for the specified applications.

An example of the precedence of SD-WAN policy intents for breakout (from highest precedence to lowest precedence) is provided in Table 1. The SD-WAN policy intent number 1 has the highest priority and SD-WAN policy intent number 7 has the lowest priority.

Table 1: Precedence (Highest to Lowest) of SD-WAN Policy Intents for Breakout

Intent Number

Site

Department (Network Segmentation Enabled)

Application

1

Sunnyvale

Finance

Outlook

2

Any

Finance

Outlook

3

Sunnyvale

Any

Outlook

4

Sunnyvale

Finance

Any

5

Any

Finance

Any

6

Sunnyvale

Any

Any

7

Any

Any

Any

Benefits of Breakout Profiles

  • Breakout profiles used in intent-based Internet breakout policies (through SD-WAN policy intents) give users granular control over the Internet breakout behavior for specific applications.