Security

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------

This seems the same topic that has been answered here.

Dynamic segmentation absolutely has a place where firewalls are deployed already. Tunneling the traffic to a gateway (or controller, which is the same thing) allows you to have micro-segmentation. Each device will have its own firewall segment which is role-based, where traditional firewalls protect per network segment which depending on how and where you deploy it can be large parts of your network where device-device communication (east-west traffic) is unprotected and unseen. Secondly, tunneling traffic allows you to use the existing network just as a carrier, which in many IoT and industrial scenarios allow a more centralized approach to break-out traffic for these devices fully isolated from your production network.

In the end, you might indeed end up in a situation where the added value of having a separate firewall is limited. This is where the SD-Branch solution is designed for.

If you have firewalls deployed already and are happy with that, that is something that still many customers are doing.

The edge microsegment firewalling and perimeter firewalling in fact both complement each other, but you can consider some overlap as well.

Your Aruba partner or local Aruba SE can probably better put the different possibilities in place.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
------------------------------

Original Message:
Sent: Dec 14, 2020 02:11 PM
From: Anupam Gaur
Subject: Dynamic Segmentation

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------

Great . Make sense , Microsegmentation and Perimeter compliment each other .

Customer already has Palo Alto at Gateway so SD Branch Gateway is not an option here .

The downside is to have Mobility controller in each Branch ( more cost) or in DC ; but again a GRE Backhaul to Mobility controller .

ALso IAP has inbuild PEF so there is no need for Mobility controller for IAP .  but for Wired switches there is a need

------------------------------
AG
------------------------------

Original Message:
Sent: Dec 15, 2020 10:10 AM
From: Herman Robers
Subject: Dynamic Segmentation

This seems the same topic that has been answered here.

Dynamic segmentation absolutely has a place where firewalls are deployed already. Tunneling the traffic to a gateway (or controller, which is the same thing) allows you to have micro-segmentation. Each device will have its own firewall segment which is role-based, where traditional firewalls protect per network segment which depending on how and where you deploy it can be large parts of your network where device-device communication (east-west traffic) is unprotected and unseen. Secondly, tunneling traffic allows you to use the existing network just as a carrier, which in many IoT and industrial scenarios allow a more centralized approach to break-out traffic for these devices fully isolated from your production network.

In the end, you might indeed end up in a situation where the added value of having a separate firewall is limited. This is where the SD-Branch solution is designed for.

If you have firewalls deployed already and are happy with that, that is something that still many customers are doing.

The edge microsegment firewalling and perimeter firewalling in fact both complement each other, but you can consider some overlap as well.

Your Aruba partner or local Aruba SE can probably better put the different possibilities in place.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 14, 2020 02:11 PM
From: Anupam Gaur
Subject: Dynamic Segmentation

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------

How is dynamic segmentation different from microsegmentation?
If there are any deep technical papers including implementation details?

------------------------------
al so
------------------------------

Original Message:
Sent: Dec 15, 2020 10:20 AM
From: Anupam Gaur
Subject: Dynamic Segmentation

Great . Make sense , Microsegmentation and Perimeter compliment each other .

Customer already has Palo Alto at Gateway so SD Branch Gateway is not an option here .

The downside is to have Mobility controller in each Branch ( more cost) or in DC ; but again a GRE Backhaul to Mobility controller .

ALso IAP has inbuild PEF so there is no need for Mobility controller for IAP .  but for Wired switches there is a need

------------------------------
AG

Original Message:
Sent: Dec 15, 2020 10:10 AM
From: Herman Robers
Subject: Dynamic Segmentation

This seems the same topic that has been answered here.

Dynamic segmentation absolutely has a place where firewalls are deployed already. Tunneling the traffic to a gateway (or controller, which is the same thing) allows you to have micro-segmentation. Each device will have its own firewall segment which is role-based, where traditional firewalls protect per network segment which depending on how and where you deploy it can be large parts of your network where device-device communication (east-west traffic) is unprotected and unseen. Secondly, tunneling traffic allows you to use the existing network just as a carrier, which in many IoT and industrial scenarios allow a more centralized approach to break-out traffic for these devices fully isolated from your production network.

In the end, you might indeed end up in a situation where the added value of having a separate firewall is limited. This is where the SD-Branch solution is designed for.

If you have firewalls deployed already and are happy with that, that is something that still many customers are doing.

The edge microsegment firewalling and perimeter firewalling in fact both complement each other, but you can consider some overlap as well.

Your Aruba partner or local Aruba SE can probably better put the different possibilities in place.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 14, 2020 02:11 PM
From: Anupam Gaur
Subject: Dynamic Segmentation

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------

Microsegmentation is the goal: segmenting individual clients, even if they are in the same VLAN.

Dynamic Segmentation is how you can do that with Aruba.

Here is the page on the Aruba Website, and it has a link to a solution overview paper.

If you need to go more in-depth, and understand the technical details, check out this video series.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 07, 2021 08:30 PM
From: al so
Subject: Dynamic Segmentation

How is dynamic segmentation different from microsegmentation?
If there are any deep technical papers including implementation details?

------------------------------
al so

Original Message:
Sent: Dec 15, 2020 10:20 AM
From: Anupam Gaur
Subject: Dynamic Segmentation

Great . Make sense , Microsegmentation and Perimeter compliment each other .

Customer already has Palo Alto at Gateway so SD Branch Gateway is not an option here .

The downside is to have Mobility controller in each Branch ( more cost) or in DC ; but again a GRE Backhaul to Mobility controller .

ALso IAP has inbuild PEF so there is no need for Mobility controller for IAP .  but for Wired switches there is a need

------------------------------
AG

Original Message:
Sent: Dec 15, 2020 10:10 AM
From: Herman Robers
Subject: Dynamic Segmentation

This seems the same topic that has been answered here.

Dynamic segmentation absolutely has a place where firewalls are deployed already. Tunneling the traffic to a gateway (or controller, which is the same thing) allows you to have micro-segmentation. Each device will have its own firewall segment which is role-based, where traditional firewalls protect per network segment which depending on how and where you deploy it can be large parts of your network where device-device communication (east-west traffic) is unprotected and unseen. Secondly, tunneling traffic allows you to use the existing network just as a carrier, which in many IoT and industrial scenarios allow a more centralized approach to break-out traffic for these devices fully isolated from your production network.

In the end, you might indeed end up in a situation where the added value of having a separate firewall is limited. This is where the SD-Branch solution is designed for.

If you have firewalls deployed already and are happy with that, that is something that still many customers are doing.

The edge microsegment firewalling and perimeter firewalling in fact both complement each other, but you can consider some overlap as well.

Your Aruba partner or local Aruba SE can probably better put the different possibilities in place.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 14, 2020 02:11 PM
From: Anupam Gaur
Subject: Dynamic Segmentation

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------

Original Message:
Sent: 8/9/2021 4:20:00 AM
From: Herman Robers
Subject: RE: Dynamic Segmentation

Microsegmentation is the goal: segmenting individual clients, even if they are in the same VLAN.

Dynamic Segmentation is how you can do that with Aruba.

Here is the page on the Aruba Website, and it has a link to a solution overview paper.

If you need to go more in-depth, and understand the technical details, check out this video series.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------

Original Message:
Sent: Aug 07, 2021 08:30 PM
From: al so
Subject: Dynamic Segmentation

How is dynamic segmentation different from microsegmentation?
If there are any deep technical papers including implementation details?

------------------------------
al so

Original Message:
Sent: Dec 15, 2020 10:20 AM
From: Anupam Gaur
Subject: Dynamic Segmentation

Great . Make sense , Microsegmentation and Perimeter compliment each other .

Customer already has Palo Alto at Gateway so SD Branch Gateway is not an option here .

The downside is to have Mobility controller in each Branch ( more cost) or in DC ; but again a GRE Backhaul to Mobility controller .

ALso IAP has inbuild PEF so there is no need for Mobility controller for IAP .  but for Wired switches there is a need

------------------------------
AG

Original Message:
Sent: Dec 15, 2020 10:10 AM
From: Herman Robers
Subject: Dynamic Segmentation

This seems the same topic that has been answered here.

Dynamic segmentation absolutely has a place where firewalls are deployed already. Tunneling the traffic to a gateway (or controller, which is the same thing) allows you to have micro-segmentation. Each device will have its own firewall segment which is role-based, where traditional firewalls protect per network segment which depending on how and where you deploy it can be large parts of your network where device-device communication (east-west traffic) is unprotected and unseen. Secondly, tunneling traffic allows you to use the existing network just as a carrier, which in many IoT and industrial scenarios allow a more centralized approach to break-out traffic for these devices fully isolated from your production network.

In the end, you might indeed end up in a situation where the added value of having a separate firewall is limited. This is where the SD-Branch solution is designed for.

If you have firewalls deployed already and are happy with that, that is something that still many customers are doing.

The edge microsegment firewalling and perimeter firewalling in fact both complement each other, but you can consider some overlap as well.

Your Aruba partner or local Aruba SE can probably better put the different possibilities in place.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 14, 2020 02:11 PM
From: Anupam Gaur
Subject: Dynamic Segmentation

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------

It's not equivalent, but by far the best document I've found for the wired side of microsegmentation is the Wired Policy Enforcement Guide.  A list of all the current guides and docs for Clearpass are here:  Airheads Community.  Just look for the Wired Policy guide in the list.

It gets regularly updated (the version I have was last updated August 2020).  Keep that in mind as some of the newest features may not have made it into the guide yet.  You'll want to pair it with the documentation for the particular switch line you're using, such as the AOS-CX Security Guide if you are using CX switches.  I can't emphasize enough how good this guide is; the security group at Aruba deserves a lot of credit.  Don't feel obligated to use every feature the guide describes, though; some may not be appropriate for your use case.




------------------------------
Daniel Waites
------------------------------

Original Message:
Sent: Aug 12, 2021 11:47 PM
From: al so
Subject: Dynamic Segmentation

Is there an equivalent readable content than those videos on in-depth micro segmentation?

Original Message:
Sent: 8/9/2021 4:20:00 AM
From: Herman Robers
Subject: RE: Dynamic Segmentation

Microsegmentation is the goal: segmenting individual clients, even if they are in the same VLAN.

Dynamic Segmentation is how you can do that with Aruba.

Here is the page on the Aruba Website, and it has a link to a solution overview paper.

If you need to go more in-depth, and understand the technical details, check out this video series.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 07, 2021 08:30 PM
From: al so
Subject: Dynamic Segmentation

How is dynamic segmentation different from microsegmentation?
If there are any deep technical papers including implementation details?

------------------------------
al so

Original Message:
Sent: Dec 15, 2020 10:20 AM
From: Anupam Gaur
Subject: Dynamic Segmentation

Great . Make sense , Microsegmentation and Perimeter compliment each other .

Customer already has Palo Alto at Gateway so SD Branch Gateway is not an option here .

The downside is to have Mobility controller in each Branch ( more cost) or in DC ; but again a GRE Backhaul to Mobility controller .

ALso IAP has inbuild PEF so there is no need for Mobility controller for IAP .  but for Wired switches there is a need

------------------------------
AG

Original Message:
Sent: Dec 15, 2020 10:10 AM
From: Herman Robers
Subject: Dynamic Segmentation

This seems the same topic that has been answered here.

Dynamic segmentation absolutely has a place where firewalls are deployed already. Tunneling the traffic to a gateway (or controller, which is the same thing) allows you to have micro-segmentation. Each device will have its own firewall segment which is role-based, where traditional firewalls protect per network segment which depending on how and where you deploy it can be large parts of your network where device-device communication (east-west traffic) is unprotected and unseen. Secondly, tunneling traffic allows you to use the existing network just as a carrier, which in many IoT and industrial scenarios allow a more centralized approach to break-out traffic for these devices fully isolated from your production network.

In the end, you might indeed end up in a situation where the added value of having a separate firewall is limited. This is where the SD-Branch solution is designed for.

If you have firewalls deployed already and are happy with that, that is something that still many customers are doing.

The edge microsegment firewalling and perimeter firewalling in fact both complement each other, but you can consider some overlap as well.

Your Aruba partner or local Aruba SE can probably better put the different possibilities in place.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 14, 2020 02:11 PM
From: Anupam Gaur
Subject: Dynamic Segmentation

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------

Original Message:
Sent: 8/13/2021 10:52:00 AM
From: dwaites
Subject: RE: Dynamic Segmentation

It's not equivalent, but by far the best document I've found for the wired side of microsegmentation is the Wired Policy Enforcement Guide.  A list of all the current guides and docs for Clearpass are here:  Airheads Community.  Just look for the Wired Policy guide in the list.

It gets regularly updated (the version I have was last updated August 2020).  Keep that in mind as some of the newest features may not have made it into the guide yet.  You'll want to pair it with the documentation for the particular switch line you're using, such as the AOS-CX Security Guide if you are using CX switches.  I can't emphasize enough how good this guide is; the security group at Aruba deserves a lot of credit.  Don't feel obligated to use every feature the guide describes, though; some may not be appropriate for your use case.




------------------------------
Daniel Waites
------------------------------

Original Message:
Sent: Aug 12, 2021 11:47 PM
From: al so
Subject: Dynamic Segmentation

Is there an equivalent readable content than those videos on in-depth micro segmentation?

Original Message:
Sent: 8/9/2021 4:20:00 AM
From: Herman Robers
Subject: RE: Dynamic Segmentation

Microsegmentation is the goal: segmenting individual clients, even if they are in the same VLAN.

Dynamic Segmentation is how you can do that with Aruba.

Here is the page on the Aruba Website, and it has a link to a solution overview paper.

If you need to go more in-depth, and understand the technical details, check out this video series.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.

Original Message:
Sent: Aug 07, 2021 08:30 PM
From: al so
Subject: Dynamic Segmentation

How is dynamic segmentation different from microsegmentation?
If there are any deep technical papers including implementation details?

------------------------------
al so

Original Message:
Sent: Dec 15, 2020 10:20 AM
From: Anupam Gaur
Subject: Dynamic Segmentation

Great . Make sense , Microsegmentation and Perimeter compliment each other .

Customer already has Palo Alto at Gateway so SD Branch Gateway is not an option here .

The downside is to have Mobility controller in each Branch ( more cost) or in DC ; but again a GRE Backhaul to Mobility controller .

ALso IAP has inbuild PEF so there is no need for Mobility controller for IAP .  but for Wired switches there is a need

------------------------------
AG

Original Message:
Sent: Dec 15, 2020 10:10 AM
From: Herman Robers
Subject: Dynamic Segmentation

This seems the same topic that has been answered here.

Dynamic segmentation absolutely has a place where firewalls are deployed already. Tunneling the traffic to a gateway (or controller, which is the same thing) allows you to have micro-segmentation. Each device will have its own firewall segment which is role-based, where traditional firewalls protect per network segment which depending on how and where you deploy it can be large parts of your network where device-device communication (east-west traffic) is unprotected and unseen. Secondly, tunneling traffic allows you to use the existing network just as a carrier, which in many IoT and industrial scenarios allow a more centralized approach to break-out traffic for these devices fully isolated from your production network.

In the end, you might indeed end up in a situation where the added value of having a separate firewall is limited. This is where the SD-Branch solution is designed for.

If you have firewalls deployed already and are happy with that, that is something that still many customers are doing.

The edge microsegment firewalling and perimeter firewalling in fact both complement each other, but you can consider some overlap as well.

Your Aruba partner or local Aruba SE can probably better put the different possibilities in place.

------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.

Original Message:
Sent: Dec 14, 2020 02:11 PM
From: Anupam Gaur
Subject: Dynamic Segmentation

Hello ,

I have a query related to Dynamic Segmentation .

Can we achieve Dynamic Segmentation without Mobility controller .

Radius can provide Downloadable User Role to the Wired Switches or wireless AP.  The GRE tunnel to Mobility controller kicks in if define Secondary user role .

If there is already a Firewall ( for example palo alto Stateful Next generation Firewall) , what is the advantage to have a Mobility controller ( PEF) ?

Having a Mobility controller , unknown traffic will be backhauled to controller via GRE tunnel but we can place unknown device to a Guest vlan also without Mobility controller ?

As Customer is planning to move to Aruba Central to manage all Wired Switches and APs-- the goal is get rid of controllers , what is the purpose of Mobility controller then - only PEF ?   


Does PEF solution only for the environments where customer has no firewall solution ?

------------------------------
AG
------------------------------