Wired Intelligent Edge (Campus Switching and Routing)

Reply
Frequent Contributor I

Implementing dynamic segmentation without replacing all the switches

Hi, we're interested in dynamic segmentation but we have lot's of 2530/2540/Cisco switches in different buildings we'd not like to replace right away. Is it possible to implement dynamic segmentation at the aggretation level and use the current L2 switches behind a 2930/3810 switch?

 

Can we for example map VLANs to different GRE tunnels and roles on the MC or is it possible to just have the traffic pass through the current switches and have multiple users authenticate on each aggregation switch port?

 

Thanks!

Guru Elite

Re: Implementing dynamic segmentation without replacing all the switches

You cannot do this.

 

Dynamic segmentation works at the port level and if you can put a switch in front of that enforcement point, devices on that Cisco switch will be able to talk to each other, unfortunately.  That will ruin the "segmentation" portion of dynamic segmentation.


*Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba Networks or Hewlett Packard Enterprise.*
ArubaOS 8.4 User Guide
InstantOS 8.3 User Guide
Airheads Knowledgebase
Airheads Learning Videos
Aruba Central Documentation
Sign up for Security Alerts
Aruba Technical Webinars
Frequent Contributor I

Re: Implementing dynamic segmentation without replacing all the switches

If the clients can talk to each other in the same VLAN we can live with that, as this is how it currently is. I'm hoping to map the VLANs to different roles to get the segmentation started, and then go deeper each time we replace older switches

Highlighted
Regular Contributor I

Re: Implementing dynamic segmentation without replacing all the switches

The tunneling function must be supported by the switch ASIC. Currently only switches below support tunneld node (port / user based).

 

Port based: 2920, 3800, 3810, 5400R, 2930M, 2930F.

User based: 2930F, 2930M, 5400R, 3810.

 

You can start with downloadable or programmable ACL via radius attribute on the current installed switches, and move over the user based tunneling when you start replacing switches.



- - - - Aruba ACCX #748, ACDX #758, ACMP, ACEAP | HPE Master ASE - - - -
- - - - - - - Feel free to give kudos or accept as a solution! - - - - - - - - -
Search Airheads
cancel
Showing results for 
Search instead for 
Did you mean: