Key Building Blocks of Dynamic Segmentation

By Dave Chen, Senior Product Marketing Manager
Share Post

This is my second blog on Dynamic Segmentation. My first blog Simplify Network Policies with Dynamic Segmentation explores why data center technologies like microsegmentation, fabrics and automation are being applied to traditional campus and branch network architectures.

The network edge is changing. The shift to cloud applications and the rise of IoT is putting pressure on the traditional network edge architecture. Corporate traffic patterns are shifting at the edge, with higher volumes of traffic moving from the user to the Internet, rather than from the user to the data center. Network intelligence is also shifting, with more decisions that impact user experience, security, and controls being made at the edge.

A Dynamic Segmentation Recap
Dynamic Segmentation leverages Aruba’s unique mobile-first capabilities, which are delivered by our Mobility Controllers and ClearPass, to simplify and secure the network. With a built-in Policy Enforcement Firewall (PEF), the Mobility Controller applies user role-based context and Layer 2-7 application visibility to segment public and private traffic automatically.

Dynamic Segmentation delivers several key benefits. Users and devices are automatically granted access to the right network segment based on context-aware policies that factor in user role, device type, application I.D. and location. Automating policies reduces IT workloads, since admins no longer have to make manual moves, adds and changes every time a new device is on-boarded. IoT/headless devices such as security cameras, for instance, have their own route through the network and may only communicate with the video surveillance servers. This reduces the risk of a compromised IP camera from negatively impacting the business.

Getting Started with Dynamic Segmentation
Dynamic Segmentation can be used on traditional enterprise campuses as well as distributed branch environments. It is a solution that can be applied to your network in a flexible way, so you can begin by creating a policy overlay for your existing network rather than interrupting your operations.

Many Aruba customers already have the key components you need for Dynamic Segmentation. If you’re starting from scratch, you’ll need:

ClearPass Policy Manager
ClearPass Policy Manager provides centralized policy management and automated profiling for wired and wireless client devices. Using ClearPass as a single point of policy definition, organizations can aggregate rules for a large campus or distributed enterprise. If you deployed ClearPass over Aruba wired and wireless networks, you’re in luck. We’ve recently introduced enhancements with ArubaOS 8.4 and ClearPass 6.8 that add enhanced Dynamic Segmentation visibility. This enables you to customize reporting for the entire network.

Mobility Controllers
The Mobility Controller can be used to provide on-premises policy enforcement and Layer 7 firewalls with deep packet inspection. The product can be deployed in small, medium and large campuses, and also supports high availability for added resiliency.

Aruba Network Switches
If you’re ready to extend unified policy enforcement to your wired network, deploy Aruba network switches (any of the 2930Fs, 2930Ms, 3810s, or 5400Rs will do). They’ll also provide all the wired connectivity you need.

Aruba Wireless Access Points
With a versatile set of IoT-ready wireless features, Aruba APs provide the investment protection you need. They also support Aruba’s AI-powered RF features and the absolute latest Wi-Fi standards (Wi-Fi 6 and WPA3) – so you can enhance the network with optimized user experience and performance alongside Dynamic Segmentation.

Take Dynamic Segmentation to the Next Level
Organizations can use Aruba ClearPass Device Insight and the MultiZone AP capability to take visibility and control to the next level. Let's look at each one.

AI-Based Profiling
Aruba ClearPass Device Insight complements a Dynamic Segmentation strategy by providing full visibility for all connected devices – even if they aren’t in your existing database. IT has visibility into the device type, vendor, hardware version and behavior, including applications and resources accessed. This technology utilizes deep packet inspection, advanced machine learning, and crowdsourced device fingerprints. Device Insight overcomes the challenge that many IoT devices are difficult or impossible to identify with any level of useful detail.

Devices discovered though ClearPass Device Insight can be automatically segmented based on the appropriate policy or even quarantined if they are behaving in a malicious or insecure way. Using ClearPass Device Insight delivers full-spectrum visibility and actionable insight to further increase security and compliance.

Secure, Multi-Tenant Separation
Organizations can extend the principles of Dynamic Segmentation for traffic that must terminate on dedicated on-premises hardware or to reduce the number of overlapping networks.

Using the MultiZone feature available exclusively with Mobility Conductor, an access point can forward public and private traffic onto different controllers based on SSID segmentation – so traffic from the guest network will terminate onto a controller sitting in the DMZ.

This feature can also be used for locations with multi-tenant operations, such as a business park, retail outlet or airport who want their tenants to connect Aruba controllers to a single wireless AP infrastructure.

With Dynamic Segmentation, Aruba networks are built on a foundation of security. Aruba’s unified architecture is highly differentiated from other vendors and provides a more secure wired and wireless environment.

Related Content

Read the Simplify Network Policies with Dynamic Segmentation blog.

See the video clip from last year’s Tech Keynote.

Read the Dynamic Segmentation Solution Brief.

Read the ClearPass Device Insight Solution Brief.

Read the MultiZone Solution Brief.

Learn more about how Dynamic Segmentation can support IoT wired use cases in this blog by Jon Green, VP and Chief Technologist for Security.