I have a request on my network (3810M at the access layer with Clearpass doing access control) to give a more secure connection to certain devices at the access layer.
Ive tried to suggest we do downloadable ACLs but for accreditation reasons that won’t suffice.
they want to see further segregation than an ACL ... I have 2 thoughts:
1. setup a controller and do tunnelled node so it gets segregated to a physically separate device. I’m aware the GRE tunnel this makes isn’t encrypted though? So in effect the only separation is a GRE header?
2. somehow use MACSec on certain connections to an upstream switch to create this separation with encryption? Can I do MACSec on only certain links that come in?
with GRE tunnels and Aruba controllers, we are not only separating traffics by GRE but also the controller acts as a stateful firewall between them.
with MACSEC, you can enable it on specific ports but it should be directly connected. meaning you can do MACSEC between directly connected switch ports for two switches.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.