last person joined: 2 hours ago 

Bring performance and reliability to your network with the Aruba Core, Aggregation, and Access layer switches. Discuss the latest features and functionality of the ArubaOS-Switch and ArubaOS-CX devices, and find ways to improve security across your network to bring together a mobile first solution.
Expand all | Collapse all

MAcSec / tunnelled node / encryption question

Jump to Best Answer
This thread has been viewed 0 times
  • 1.  MAcSec / tunnelled node / encryption question

    Posted Feb 29, 2020 04:59 AM

    Hi all,


    I have a request on my network (3810M at the access layer with Clearpass doing access control) to give a more secure connection to certain devices at the access layer. 

    Ive tried to suggest we do downloadable ACLs but for accreditation reasons that won’t suffice. 

    they want to see further segregation than an ACL ... I have 2 thoughts:


    1. setup a controller and do tunnelled node so it gets segregated to a physically separate device. I’m aware the GRE tunnel this makes isn’t encrypted though? So in effect the only separation is a GRE header?


    2. somehow use MACSec on certain connections to an upstream switch to create this separation with encryption? Can I do MACSec on only certain links that come in?



  • 2.  RE: MAcSec / tunnelled node / encryption question
    Best Answer

    Posted Feb 29, 2020 04:29 PM

    with GRE tunnels and Aruba controllers, we are not only separating traffics by GRE but also the controller acts as a stateful firewall between them.


    with MACSEC, you can enable it on specific ports but it should be directly connected. meaning you can do MACSEC between directly connected switch ports for two switches.