Table of Contents
Advertisement
Definition of Terms
Term
DCA
ClearPass
GRE
SAC
S-SAC
UAC
Switch Bootstrap
User Bootstrap
Secondary role
Reserved VLAN
mode
Overview
Dynamic Segmentation enables Aruba switches to tunnel traffic (all traffic or the traffic of particular clients) to
Aruba controllers.
Dynamic Segmentation includes the following:
•
User-Based Tunneling tunnels client traffic on the basis of user roles. This ability to dynamically tunnel traffic is
powerful, and when used correctly, can help in solving several deployment problems that are prevalent in
legacy campus networks. The policies associated with the client can be driven through a RADIUS server, a
downloaded role from ClearPass, or by local MAC authentication in the switch. Many devices that require
Power over Ethernet (PoE) and network access, such as security cameras, printers, payment card readers,
and medical devices, do not have built in security software such as those on desktop or laptop computers.
These devices can pose a risk to networks with the lack security on the device. User-Based Tunneling can
authenticate these devices using ClearPass, and tunnel the client traffic, utilizing the advanced firewall and
policy capabilities in the Aruba Mobility Controller. For providing secure access to IoT devices within the Aruba
Intelligent Edge wired network, controller clustering is available in ArubaOS 8.0.0.0. For more information, see
User-Based Tunneling.
•
Port-Based Tunneling allows the Aruba switch to tunnel traffic to an Aruba Mobility Controller on a per-port
basis. All traffic on a configured switch port is statically tunneled to an Aruba Mobility Controller. For more
information, see Port-Based Tunneling.
Tunneling is enabled in the Aruba user role and can be combined with the Downloadable User Role (DUR)
feature for dynamic and flexible policy enforcement and segmentation.
608
Definition
Dynamic Configuration Arbiter
ClearPass Policy Manager
Generic Routing Encapsulation
Switch Anchor Controller
Standby Switch Anchor Controller
User Anchor Controller
Control plane protocol packets exchange process between a switch and an SAC to register
a switch with the configured SAC.
Control plane protocol packets exchange process between a switch and a UAC to register
a user with the published UAC.
This information is an indication to the controller that it has to enforce additional policies to
user traffic based on policy configuration associated with the secondary role.
A VLAN is automatically created and reserved for tunnels in this mode.
Aruba 2930F / 2930M Management and Configuration Guide
Chapter 18
Dynamic Segmentation
for ArubaOS-Switch 16.08
Advertisement
Table of Contents
Troubleshooting
