There's usual traffic like SCCM, printer management, monitoring of different devices etc. In the end it's probably not that much, but still feels bit wasteful to pass it over the SD-WAN fabric before dropping it at the remote branch.
All the Aruba documents show VPNC connected directly to the core switches and only firewall in the picture is DMZ firewall between internet and VPNC. So that is probably Aruba's best practice as I haven't see any other way in the documents.
What I was trying to drop was the enterprise's own traffic over the fabric to branches, not the traffic coming from internet. And as we've already had to do all the rules for the branches, it seems bit silly to do exactly the same rules again in the DC firewall :) Have to also draw it in Visio what DC firewalls in front of VPNC would look like, hopefully there will be no asymmetric traffic. But I guess that's usually managed with AS prepends.
Original Message:
Sent: May 04, 2021 08:41 AM
From: Felipe Rodrigues
Subject: Firewalling at DC - SD-WAN edge
Hi pubjohndoe,
VPNC is a tunnel concentrator. The idea is that the traffic of users is generated in the branches towards the DC where the VPNC is located, and not the other way around. You can configure policies directly on the VPNC interface (You can check that there is one applied by default on the WAN interface, allowing only the necessary protocols for the construction of IPSEC tunnels).
Don't you have a DMZ firewall in this topology? The best option would be for a DC firewall to do this control if there is traffic initiated on the DC to the branch offices.
------------------------------
Felipe Rodrigues
Original Message:
Sent: Apr 29, 2021 03:19 PM
From: Jukka Aaltonen
Subject: Firewalling at DC - SD-WAN edge
Please correct me if I'm wrong but I believe that usually when we create user roles on SD-Branch gateways and have traffic coming from the DC the path is the red one in this picture: