View Only
last person joined: 16 hours ago 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Gateway Roles across SD-Branch Sites

This thread has been viewed 9 times
  • 1.  Gateway Roles across SD-Branch Sites

    Posted May 19, 2022 11:24 AM
    Hi Community (apologies for the long post),

    We are a relatively new to the Aruba product set and have just deployed a couple of branch offices. We have decided to use UBT to microsegment our network at these sites and keep the VLAN and IP addressing simplified. All endpoints reside on the same subnet at the branch office, eg phones, laptops, vc units etc. We then assign the device a role via clearpass that then defines the access that device has by way of the PEF on the gateway. This works well for us and are fairly happy.

    Getting to my query, is there any concept of a role being global in the context of the PEF? Some of our policies use the source and destination of "User Role", a good example of this is our IP phones. The "IP Phone" role is allowed to talk to other devices that have the "IP Phone" role. This works fine when the IP phones are all located within one Branch, but then when they go to talk to a IP Phone at another branch then the role context is lost. Traditionally we would define the firewall rules based on IP address, but because all the devices belong to the the same subnet this is not possible.

    Any thoughts would be much appreciated.

    Network diagram if it helps:

    Justin Farr

  • 2.  RE: Gateway Roles across SD-Branch Sites

    Posted May 21, 2022 04:06 AM
    as far as i know the user roles are not  global yet.

    Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

  • 3.  RE: Gateway Roles across SD-Branch Sites

    Posted May 23, 2022 04:29 AM

    I know the Netconductor stuff is coming with global roles but that looks more for VXLAN related with role-to-role enforcement at the switch level. 
    Does seem to be a missing (albeit small) piece of the role based puzzle.


    Justin Farr