Configuring Breakout on SD-WAN Sites
The following is the workflow for configuring breakout (local breakout [underlay], backhaul [central breakout], or cloud breakout):
- Before configuring breakout, ensure
that you complete the following tasks:
- Add, configure, and activate at least one cloud hub site. See Adding Cloud Hub Sites for SD-WAN Deployment.
- (Optional) If you are using gateway sites, add, configure, and activate one or more gateway sites. See Adding Gateway Sites for SD-WAN Deployments.
- Add, configure, and activate one or more on-premise spoke sites. See Adding On-Premise Spoke Sites for SD-WAN Deployment.
- (Optional) If you are using application-based breakout, ensure that you install the application ID license (if it is required for the device) and signatures on the devices (associated with the sites).
- Depending on the type of breakout you are configuring,
add one or more breakout profiles for the following types of breakout:
Local breakout (underlay)
Backhaul (central breakout)
- For cloud breakout, add cloud breakout settings and then assign the cloud breakout settings to one or more on-premise spoke or gateway sites. See Adding Cloud Breakout Settings and Assigning Cloud Breakout Settings to Sites.
- Add one or more SD-WAN policy intents in which you reference the previously-added breakout profiles. See Creating SD-WAN Policy Intents.
- Deploy the SD-WAN policy. See Deploying Policies.
- Configure firewall policy intents to allow Internet-bound traffic from the sites or departments for which you configured breakout (through the SD-WAN policy intent). See Creating Firewall Policy Intents.
- Deploy the firewall policy. See Deploying Policies.
- For cloud breakout using Zscaler, ensure that the user
IDs in the Zscaler account are configured as follows:
Site-Name.primary.1@Tenant-Name.com for the primary tunnel
Site-Name.backup.1@Tenant-Name.com for the secondary tunnel
Where Site-Name is the name of the site (in CSO) for which the breakout is configured and Tenant-Name is the name of the tenant (in CSO) to which the site belongs.