Configuring LAN-Side Internet Breakout on SteelHead SD
This topic describes how to configure LAN-side internet breakout on SteelHead SD appliances. It includes these topics:
These procedures describe LAN-side internet breakout for SteelHead SD 570-SD, 770-SD, and 3070-SD appliances and the SteelConnect SDI-2030 gateway at the branch. For additional information, see the SteelConnect Manager User Guide.
Overview of LAN-side internet breakout on SteelHead SD
With LAN-side internet breakout, you are able to forward internet-bound traffic on the LAN-side of the network and avoid backhauling internet traffic. For details on internet breakout, see
Supported topologies in the
SteelConnect Manager User Guide.
Prior to SteelConnect 2.12, internet breakout was only supported on the WAN-side of the network. Internet breakout on the WAN-side of the network can occur in one of the following ways:
•Sending the packet to Zscaler or Cloudi-Fi over tunnels to the Zen nodes that break out from the cloud firewalls.
•Locally using a direct-to-internet uplink or any other internet-capable uplink.
•Overlay the packet to the data center (DC) remote site and it breaks out from the DC site.
You configure LAN-side internet breakout by enabling the Underlay option for internet bound traffic as a breakout preference. The Underlay option is available at the organization, site, and zone level. Alternatively, you can also configure the Underlay option as a preferred path in a traffic rule.
Specific routes are given higher preference than the default route so if the internet-bound traffic has a specific route available on the appliance, the appliance honors that specific route irrespective of the configured internet breakout preference.
When the Underlay option is the preferred breakout option, make sure that a default route is available on the appliance so that the internet traffic is routed on the interface from where the default route (0.0.0.0/0) is learned. You can configure underlay internet breakout on any interface, not just the LAN interface.
The default route may not be learned from the LAN-side. The traffic is applied to the interface on which the default route is learned. If a default route is learned from a WAN uplink and the internet breakout preference is underlay, the traffic would be put on that uplink. If the default route is learned from a LAN-side, the traffic is put on the LAN interface.
Configuring LAN-side internet breakout
This section describes how to configure LAN-side internet breakout at the organization, site, and zone level. You can also configure the Underlay option under Traffic Rules.
To configure LAN-side internet breakout at the organization level
1. Choose Organization.
2. Select the Networking Defaults tab.
Configuring internet breakout at the organization level
3. Click the search selector and select Underlay.
4. Click Submit.
To configure LAN-side internet breakout at the site level
1. Choose Network Design > Sites.
2. Select the site to expand the page.
3. Select the WAN/AutoVPN tab.
Configuring intent breakout at the site level
4. Click the search selector and select Underlay.
5. Click Submit.
To configure LAN-side internet breakout at the zone level
1. Choose Network Design > Zones.
2. Select the site to expand the page.
3. Select the WAN tab.
Configuring internet breakout at the zone level
4. Click the search selector and select Underlay.
When sending traffic to the internet, the default behavior is to use direct internet uplinks (local breakout). You can also use RouteVPN, WANs, or underlay routing as alternative breakouts. Some of these options require that you specify the default site that will handle the breakout rule.
5. Click Submit.
To configure LAN-side internet breakout in a traffic rule
1. Choose Rules > Traffic Rules.
2. Select the site to expand the page.
3. Click New Traffic Rule.
4. Specify the traffic rule options. For details, see the SteelConnect Manager User Guide.
Configuring internet breakout in a traffic rule
5. Click the search selector in the Path preference field and select Underlay.
6. Click Submit.
Troubleshooting
Enter the show connections CLI command to verify that the TX path is underlay. The Outgoing Interface will show the LAN interface, which means the default route was learned from the LAN interface. for example:
show connections
Enter the tcpdump command to run a packet trace on the LAN interface, for example:
tcpdump -i lan0_0 port 5005 -nn
For details on the SteelHead SD CLI, see
Using the CLI on SteelHead SD appliances in the
SteelConnect Manager User Guide.