Wired Intelligent Edge

Hi, we're interested in dynamic segmentation but we have lot's of 2530/2540/Cisco switches in different buildings we'd not like to replace right away. Is it possible to implement dynamic segmentation at the aggretation level and use the current L2 switches behind a 2930/3810 switch?

Can we for example map VLANs to different GRE tunnels and roles on the MC or is it possible to just have the traffic pass through the current switches and have multiple users authenticate on each aggregation switch port?

Thanks!

You cannot do this.

Dynamic segmentation works at the port level and if you can put a switch in front of that enforcement point, devices on that Cisco switch will be able to talk to each other, unfortunately.  That will ruin the "segmentation" portion of dynamic segmentation.

If the clients can talk to each other in the same VLAN we can live with that, as this is how it currently is. I'm hoping to map the VLANs to different roles to get the segmentation started, and then go deeper each time we replace older switches

The tunneling function must be supported by the switch ASIC. Currently only switches below support tunneld node (port / user based).

Port based: 2920, 3800, 3810, 5400R, 2930M, 2930F.

User based: 2930F, 2930M, 5400R, 3810.

You can start with downloadable or programmable ACL via radius attribute on the current installed switches, and move over the user based tunneling when you start replacing switches.