Configuring Breakout on SD-WAN Sites
The following is the workflow for configuring breakout (local breakout [underlay], backhaul [central breakout], or cloud breakout):
- Before configuring breakout, ensure
that you complete the following tasks:
- If you are using enterprise hub sites, add, configure, and activate one or more enterprise hub sites. See Adding Enterprise Hubs with SD-WAN Capability or SD-WAN and LAN Capabilities.
- Add, configure, and activate one or more on-premise spoke
sites with SD-WAN capability. See Adding an On-Premise Spoke Site with SD-WAN Capability.
You must attach an on‐premise spoke site with SDWAN capability to a provider hub site or an enterprise hub site, or to both hub sites.
- (Optional) If you are using application-based breakout, ensure that you install the application ID license (if it is required for the device) and signatures on the devices (associated with the sites).
- Depending on the type of breakout you are configuring,
add one or more breakout profiles for the following types of breakout:
Local breakout (underlay)
Backhaul (central breakout)
- For cloud breakout, add cloud breakout settings and then assign the cloud breakout settings to one or more on-premise spoke or enterprise hub sites. See Adding Cloud Breakout Settings and Assigning Cloud Breakout Settings to Sites.
- Add one or more SD-WAN policy intents in which you reference the previously-added breakout profiles. See Creating SD-WAN Policy Intents.
- Deploy the SD-WAN policy. See Deploying Policies.
- Configure firewall policy intents to allow Internet-bound traffic from the sites or departments for which you configured breakout (through the SD-WAN policy intent). See Adding Firewall Policy Intents.
- Deploy the firewall policy. See Deploying Policies.
- For cloud breakout using Zscaler, ensure that the user
IDs in the Zscaler account are configured as follows:
Site-Name.primary.1@Tenant-Name.com for the primary tunnel
Site-Name.backup.1@Tenant-Name.com for the secondary tunnel
Where Site-Name is the name of the site (in CSO) for which the breakout is configured and Tenant-Name is the name of the tenant (in CSO) to which the site belongs.