Security

Hi Community (apologies for the long post),

We are a relatively new to the Aruba product set and have just deployed a couple of branch offices. We have decided to use UBT to microsegment our network at these sites and keep the VLAN and IP addressing simplified. All endpoints reside on the same subnet at the branch office, eg phones, laptops, vc units etc. We then assign the device a role via clearpass that then defines the access that device has by way of the PEF on the gateway. This works well for us and are fairly happy.

Getting to my query, is there any concept of a role being global in the context of the PEF? Some of our policies use the source and destination of "User Role", a good example of this is our IP phones. The "IP Phone" role is allowed to talk to other devices that have the "IP Phone" role. This works fine when the IP phones are all located within one Branch, but then when they go to talk to a IP Phone at another branch then the role context is lost. Traditionally we would define the firewall rules based on IP address, but because all the devices belong to the the same subnet this is not possible.

Any thoughts would be much appreciated.

Network diagram if it helps:
Cheers,
Justin

------------------------------
Justin Farr
------------------------------

as far as i know the user roles are not  global yet.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.
------------------------------

Original Message:
Sent: May 19, 2022 02:55 AM
From: Justin Farr
Subject: Gateway Roles across SD-Branch Sites

Hi Community (apologies for the long post),

We are a relatively new to the Aruba product set and have just deployed a couple of branch offices. We have decided to use UBT to microsegment our network at these sites and keep the VLAN and IP addressing simplified. All endpoints reside on the same subnet at the branch office, eg phones, laptops, vc units etc. We then assign the device a role via clearpass that then defines the access that device has by way of the PEF on the gateway. This works well for us and are fairly happy.

Getting to my query, is there any concept of a role being global in the context of the PEF? Some of our policies use the source and destination of "User Role", a good example of this is our IP phones. The "IP Phone" role is allowed to talk to other devices that have the "IP Phone" role. This works fine when the IP phones are all located within one Branch, but then when they go to talk to a IP Phone at another branch then the role context is lost. Traditionally we would define the firewall rules based on IP address, but because all the devices belong to the the same subnet this is not possible.

Any thoughts would be much appreciated.

Network diagram if it helps:
Cheers,
Justin

------------------------------
Justin Farr
------------------------------

Thanks,

I know the Netconductor stuff is coming with global roles but that looks more for VXLAN related with role-to-role enforcement at the switch level. 
Does seem to be a missing (albeit small) piece of the role based puzzle.

Cheers,

------------------------------
Justin Farr
------------------------------

Original Message:
Sent: May 21, 2022 04:05 AM
From: Ariya Parsamanesh
Subject: Gateway Roles across SD-Branch Sites

as far as i know the user roles are not  global yet.

------------------------------
Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba.

Original Message:
Sent: May 19, 2022 02:55 AM
From: Justin Farr
Subject: Gateway Roles across SD-Branch Sites

Hi Community (apologies for the long post),

We are a relatively new to the Aruba product set and have just deployed a couple of branch offices. We have decided to use UBT to microsegment our network at these sites and keep the VLAN and IP addressing simplified. All endpoints reside on the same subnet at the branch office, eg phones, laptops, vc units etc. We then assign the device a role via clearpass that then defines the access that device has by way of the PEF on the gateway. This works well for us and are fairly happy.

Getting to my query, is there any concept of a role being global in the context of the PEF? Some of our policies use the source and destination of "User Role", a good example of this is our IP phones. The "IP Phone" role is allowed to talk to other devices that have the "IP Phone" role. This works fine when the IP phones are all located within one Branch, but then when they go to talk to a IP Phone at another branch then the role context is lost. Traditionally we would define the firewall rules based on IP address, but because all the devices belong to the the same subnet this is not possible.

Any thoughts would be much appreciated.

Network diagram if it helps:
Cheers,
Justin

------------------------------
Justin Farr
------------------------------