Understand Breakout in CSO
Breakout is an SD-WAN feature that enables Internet links to break out traffic directly from a site. For example, if you want to provide guests who visit your enterprise with Internet access, you can use local breakout to break out guest traffic locally from the site directly to the Internet.
In CSO, site-to-site traffic between spoke sites of a tenant is sent (on overlay tunnels) directly from one site to another depending on the tenant topology or through the provider hub or enterprise hub associated with the spoke sites. However, for Internet-bound or Software as a Service (SaaS) traffic, you can break out the traffic in different ways:
Local breakout—The traffic exits the VPN directly at the site and goes to the destination.
Backhaul or central breakout—The traffic exits the VPN at the provider hub or at the enterprise hub (based on the hub associated with the spoke site) and then goes to the destination.
Cloud breakout—The traffic is sent from the site to a designated cloud-based security platform instead of traffic being sent over an underlay.
Currently, Zscaler is the only cloud-based security platform supported.
In CSO, to configure breakout on an on-premise spoke site, cloud spoke site, or enterprise hub site, you must do the following:
- Enable local breakout on one or more Internet WAN links of a site.
- Add a breakout profile.
- For cloud breakout, you must add settings for cloud breakout and apply the settings on the site.
- Add an SD-WAN policy intent that references the breakout profile.
- Deploy the SD-WAN policy.