Re: Why route data through data center if source/dest is not there?

imaliraz51 · ‎03-03-2022

I work at the service desk and I'm just curious about this.

We get a lot of firewall opening request that we pass to the network team responsible for firewalls in DC, I look at the forms, and sometimes it's traffic from/to some server in DC - make sense, but sometimes it's just a request to open traffic from branch office server to some amazon services on the internet.

Why does such a thing need an opening on the firewall on the data center? I guess the traffic goes through there but why? I don't get why it can't go directly from the branch office to the internet, this and it really annoys me.

If someone can explain that would be really great!!

TommyPet France

Seb Rupik · ‎03-03-2022

Hi there,

It is a common WAN architecture to have all branch sites connected to a central location (typically a Data Center) via MPLS or VPN carried over public internet. Since a branch site will most likely be accessing resources located in the DC this make sense.

Regarding accessing the internet from a branch office, in the interest of security and policy enforcement it makes sense both logically and economically to do this at a single location instead of at each branch site. This is why internet bound traffic will be routed via your DC before reaching the internet.

cheers,

Seb.

balaji.bandi · ‎03-03-2022

This common security practice, Open ports where it is required to protect the network.

So we do this kind of work day to day basis major request come new build new service on, they need to contact other servers.

By Default FW rules are Deny any any

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MHM Cisco World · ‎03-03-2022

If branch do have fw and dc adverts default route toward branch,this make branch send data to fw of dc and fw resend it to internet.