Dynamic segmentation

Dynamic Segmentation (DS) is an enterprise network solution that combines Aruba OS-CX security and networking features to dynamically place clients into network segments based on client credentials. The client network segments are dynamically carved out of the enterprise networks when on-boarding secure clients. Two options are available:

  • User Based Tunnels (UBT).
  • Virtual Network Based Tunnels (VNBT). Also called switch-to-switch dynamic segmentation.

In both solutions, once authenticated (using MAC-Auth or 802.1X) an enterprise client is bound to a network role and a VLAN is associated with the role. User traffic is then placed on the VLAN (know as the role VLAN) corresponding to the role to which the user belongs. Role association is defined using the individual client authentication mode or using device-profile based authentication.

The administrator must pre-configure all potential role VLANs and VRFs in all access switches (and additional configuration such as IGMP snooping on VLAN, PIM RP, etc.). The switch ensures that the role VLANs and VRFs are instantiated only upon client on-boarding on the target VLAN (using the command system vlan-client-presence-detect). This ensures that unnecessary broadcast domain creations and route learning do not occur.