Watch on YouTube
Watch on Vimeo
Abhi Shamsundar, a member of the product team at HPE, presents the technical implementation of zero-trust micro-segmentation, focusing on how to enforce security policies closest to the source without requiring a massive network re-architecture. The session addresses a critical challenge in modern networking: preventing the lateral movement of threats, such as ransomware, within a broadcast domain. While traditional micro-segmentation often relies on VXLAN headers and EVPN-VXLAN architectures, which are ideal for large greenfield campuses, they are a hard sell for existing branch, retail, and distributed networks. Shamsundar introduces an inline zero-trust solution that allows for intra-VLAN and inter-VLAN segmentation while leaving existing Layer 2 and Layer 3 boundaries untouched, effectively bypassing the need for complex routing at the access layer.
The core of this strategy relies on Group-Based Policies (GBP) and centralized management via the Mist dashboard. When a device joins the network, it authenticates with a RADIUS server and receives a tag, which is then communicated to neighboring switches and access points. This allows for granular enforcement where communication can be denied not just at a basic “allow or deny” level, but down to specific Layer 4 ports and protocols. During a live demonstration, Shamsundar showcases a wired and wireless client initially communicating and streaming video; by updating the policy on the dashboard, the traffic is instantly halted at the access layer. This system provides a seamless translation of security intent between wired and wireless domains, ensuring consistent protection across the entire infrastructure.
A significant benefit of this approach is the deep visibility it provides to administrators, including hit counters and timeline functions that track policy interactions over seven days. While the speaker clarifies that the current solution supports specific hardware like the Juniper Mist 4100 and 4400 switches, he notes that support for Aruba switches is on the roadmap. The presentation concludes by reinforcing the message that true zero trust is a function of strong segmentation. By enabling enforcement at the edge of the network without requiring a total VXLAN overhaul, HPE provides organizations with a pragmatic path to secure their infrastructure against sophisticated lateral threats while maintaining their current operational models.
Personnel: Abhi Shamsundar
Thank you for being part of the Tech Field Day community! Our mailing list is a great way to stay up to date on our events and technical content, and we appreciate your signup.
We promise that we’ll never spam you, send ads, or sell your information. This list will only be used to communicate with our community about our events and content. And we’ll limit it to no more than one message per week.
Although we only need your email address, it would be nice if you provided a little more information to help us get to know you better!
