Showing results for 
Search instead for 
Did you mean: 

Choose one of the topics below for SD-WAN Resources to help you on your journey with SD-WAN

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC!
We will not comment or assist with your TAC case in these forums.


SD-WAN - Local internet breakout

I am looking to achieve local internet breakout from my branch using Cisco SD-WAN


- User accessing to Internet Web sites should be through Zscaler 

- User accessing to o365, Micro soft teams should have direct internet breakout.


Let me know how to achieve this with SD-WAN

Basic Question:

- To achieve internet breakout, is ti required to have proxy or any other device in the branch apart form the SD-WAN device.

- Is it required to advertise public IP address into my branch network to have local internet breakout ?

- Does Cisco SD-WAN will be able to understand o365 traffic ?

- Should the PCs in the branch network have public DNS server IP in its settings ?

Cisco Employee


You can certainly achieve that with Cisco SD-WAN.
to cover your questions:

- No proxy is required. Edge router (vEdge/cEdge) will become your NAT gateway for the traffic that you need to send directly to the Internet
- You just need to have a transport link with public internet access at branch
- Yes, DPI will detect O365
- PC should uses a DNS that can resolve Internet addresses.

required steps:

1) You need to enable NAT under the transport interface (the Public Internet Access interface)
2) need to define a policy to identify traffic you want to NAT. Below is a sample policy that i'm using in my fabric today:

vpn-list XXX_VPN_6
sequence 1
source-data-prefix-list XXX_GUEST-WIFI
destination-data-prefix-list XXX_NO_NAT
action accept
count NO_NAT_COUNTER_97969904
sequence 11
source-data-prefix-list XXX_GUEST-WIFI
action accept
count GUEST-NAT_97969904
nat use-vpn 0
no nat fallback
default-action accept

3) apply above to out-bond direction of the site (in centralised policy)


Regarding the below point, what is the recommended practice.


- PC should uses a DNS that can resolve Internet addresses.


Normally in any branch network, the PCs uses DNS server which is normally internal DNS server.

It can only resolve internal URLs. So how the setup or the configuration needs to be done for resolving external URLs.

Is the standard practice is to add Public DNS IPs to the PCs in the branch or is there any other alternate solution ?

If Public DNS needs to be given, then we need to advertise the Public IP address into our network. Correct me if I am wrong.



You have to setup the zone as you already have.  Add each record for the entire domain.  The sub-domains will point to internal IP addresses, and the hosted sites will simply point to external IP addresses.  Not a big deal unless you have a ton of sites under that domain. 


Internal domain is domain.local, external is  You will setup both zones on your DNS server.  Under the you will have entries pointing to internal IP's and external IPs.

Once you add that zone to DNS you are telling anyone who queries your DNS server that here are all of the records for that domain.  That is why you must manually insert the external records.

If Public DNS needs to be given, then we need to advertise the Public IP address into our network.

Sorry i am not able to clearly understand.

My internal DNS servers is already set for resolving all my internal URLs based on our internal domain. At present it cant resolve external URLs like


Not able to understand how will my internal DNS server can resolve external URLs ?

What is the standard & best practice to achieve this ?



Sorry for my late reply. Was traveling with not much access to my email. 


The quick answer to your question - You need a DNS that can resolve public URLs. so a caching only DNS can be an answer for you. 

please go through the following link:

Thanks. I have gone through it. But still not clear.

Can you explain in simple terms how it works ? How the split DNS works with respect to Internet breakout ?



I have one additional question. Is there possibility to have some NAT exception when you are using DIA with SD-WAN? as I have some public DMZ addresses which i need to send directly to internet with no NAT. 


Thank you, 

Yes, it you need to deny that traffic while you are match traffic in your policy.

Surjeet Singh