Wired Intelligent Edge (Campus Switching and Routing)


Dynamic segmentation for every user?

Are you doing dynamic segmentation for all your users, or for only IoT stuff and locally switching workstations?

We're starting to deploy new CX switches in a new building soon and was wondering if anyone sees any downsides of doing 100% dynamic segmentation.


Currently we've run basic L2 switches that terminates on a aggregation switch that does MPLS and then each VRF is routed via DC firewalls. And WLAN has been 100% tunneled so far. So tunneling users to 7220's we have wouldn't be that big difference in data flows. Though we have to get used to doing firewalling with Aruba controllers and not the firewalls we have


We have 6400 switches for the aggregation in the new building and as they don't support MPLS we'd need to do VRF lite type of configurations. If we only had one 'transit' VRF towards the controllers it would keep the configs nice and clean.


Thanks for any thoughts!

Aruba Employee

Re: Dynamic segmentation for every user?



In my opinion, your question is a bit tricky since it is implying dynamic segmentation equals tunneling which is not the way I see it..


Dynamic segmentation aims at providing the right access to the users/devices as they connect to your network dynamically without the need to do static assignments. The role that they take might force traffic to be tunneled or not. Even if you are not tunneling traffic back, you are doing dynamic segmentation and simplifying your configuration by assigning policies dynamically.. The policy follows the user / device as they move throughout the network even if the policy gets enforced on the switch side. For sure, tunneling the traffic to the controller brings great value but it is not the only way to do dynamic segmentation..


So is your question regarding dynamic segmentation or tunneling all wired traffic to controllers?

If you are considering dynamic segmentation, then my answer is 100% because you as strong as your weakest link..

If your answer is about tunneling all the traffic, I think it depends on the traffic patterns and requirements..


Re: Dynamic segmentation for every user?

Ah, I was thinking that "colourless ports" is the idea where I have 802.1x with ClearPass and dynamically assign VLANs (maybe local user policies but we're not using them now as we have multiple vendors everywhere...). This is because every time I read anything about dynamic segmentation it's about tunneling traffic to a controller, whether it's a SD-Branch GW or something in a DC like we have currently.


So for this discussion I'm thinking that dynamic segmentation means tunneling traffic back to a controller, in our new building case this would mean controllers in the DC (multiple fiber links between those so bandwidth is not an issue).


Our traffic patterns are pretty much 100% to the DC. In the campus area we only have one exit point towards the internet/wan in the DC, and I don't think we have much workstation <-> workstation traffic. Someone somewhere said that Teams etc would do that, but in our current environment I can't really say if it's happening or not. We would need to get better visibility to the access switches if there's inter-VLAN traffic. And as all our workstations are in the same logical VRF they can talk directly to each other, we would need something like transparent firewalls/TAPs there too to know if there is actually lateral traffic.


But as far as I know, the lateral traffic is minimal.