By Phil Wightman, Systems Architect – Network & NAC

Let’s talk about network segmentation. We’ve been carving up networks since the dawn of VLANs and somehow, we’re still struggling with the basics while vendors promise us securely segmented nirvana. Reality differs from white papers, so here’s what’s happening in real networks versus what slide decks tell you.

Why We Still Care About Segmentation

Segmentation isn’t sexy or easy, but it’s essential. Most breach post-mortems in the last decade come back to the same issue: flat networks where attackers move laterally like they own the place. We segment for three primary reasons that haven’t changed:

Contain the blast radius – Limit lateral movement when breaches occur. When something goes wrong, segmentation prevents attackers from moving freely across your entire network. It’s damage control.

Meet compliance requirements – Satisfy regulatory and audit requirements (PCI DSS, HIPAA, etc.) that mandate separation between different types of data and systems. Auditors actually check this stuff.

Isolate risky/untrusted devices – Keep IoT devices, guest users and other potentially insecure endpoints from accessing critical resources. Your smart thermostat doesn’t need access to your financial systems.

The problem? We’ve been solving this with increasingly complex band-aids instead of addressing the root issue: networks don’t understand identity.

“We’ve been solving this with increasingly complex band-aids instead of addressing the root issue: networks don’t understand identity.”

The Old Guard: VLANs, Subnets and VRFs

Every network engineer has scars from VLAN sprawl. You know the story: start with a clean design, then watch it mutate as every department needs “just one more VLAN.” Before you know it, you are managing hundreds of VLANs with ACLs and nobody remembers why they exist so you’re checking counters to see if they are even hit anymore.

Layer 3 segmentation with subnets seemed cleaner, but we just moved the complexity up to firewalls and routers. VRFs? They’re great for multi-tenancy but challenging for inter-VRF communication. There are organizations with VRF designs so convoluted that troubleshooting requires a PhD in network archaeology. Networks like this were usually architected by someone studying for a certification exam, firing up all the bells and whistles to make sure they understood them before test day.

Then came basic overlays. GRE and CAPWAP centralized everything through controllers, which worked until you hit scale limits and watched latency spike. Hair-pinning traffic through a central point can be like forcing everyone through a single doorway during a fire drill. That said, some shops pull this off well with the right design and execution, but it’s harder than it looks.

The New Guys: VXLAN & Microsegmentation

VXLAN deserves a lot of credit because it solved the scale problem. Encapsulating Layer 2 over Layer 3 means you can have millions of segments and mobility across sites. But here’s the thing, VXLAN alone doesn’t solve security. It’s plumbing, not policy.

Microsegmentation is the hot topic, but it’s essentially segmentation with better granularity. Instead of broad strokes (all printers, all users, guests, etc), you’re defining access per device or workload even on the same VLAN. The concept isn’t new but the ability to actually implement it at scale is.

What HPE Aruba Brings

HPE Aruba’s take adds what’s been missing: identity-based segmentation that follows users and devices. Both ClearPass and Aruba Central can assign roles dynamically based on who or what connects though. Connect your laptop anywhere: the conference room, at your desk, at the branch office. The same policy applies. No more “which VLAN should this port be on?” discussions.

The HPE Aruba CX 10000 with its Pensando DPU brings distributed security at the top of rack and campus core. Instead of hair-pinning east-west traffic to a firewall three racks away or all the way back to the datacenter, you’re doing inspection where the traffic lives. This is common sense finally catching up with data center and campus design.

Their Application Recognition and Control (ARC) provides Layer 7 visibility for application-aware policies. Drop TikTok, prioritize Teams, throttle BitTorrent, whatever your requirements. Unlike traditional approaches that require backhauling to centralized inspection points, Aruba CX switches bring DPI capabilities directly to the access layer. Application identification and enforcement happen where users connect, not three hops away. The telemetry export to Central or your SIEM means you can prove to auditors that policies actually work.

Is it perfect? No. You still need to define roles and policies upfront, which requires thinking through your segmentation strategy. But it beats managing thousands of static VLAN assignments and ACLs.

The Reality of Zero Trust

Let me save you from a dozen vendor pitches: Zero Trust isn’t a product. Any vendor claiming to sell you a “Zero Trust solution” is full of it. Zero Trust is a methodology. Verify everything, trust nothing, enforce everywhere.

Aruba’s framework makes Zero Trust operational by:

• Using identity as the foundation (not IP addresses)
• Distributing enforcement across the fabric (not centralizing everything)
• Providing visibility into what’s actually happening (not just what should happen)

“Let me save you from a dozen vendor pitches: Zero Trust isn’t a product. Any vendor claiming to sell you a ‘Zero Trust solution’ is full of it.”

What This Means for Your Network

If you’re still managing static VLANs and fighting ACL sprawl, dynamic segmentation will feel like moving from dial-up to broadband. But don’t expect miracles. You still need to:

1. Define your segmentation strategy – The tools don’t do this for you
2. Map out roles and policies – Takes time and political capital
3. Test thoroughly – Production always finds edge cases
4. Train your team – New tools require new skills

Bottom Line

Network segmentation has evolved from static VLANs to dynamic, identity-driven enforcement. The technology finally exists to make Zero Trust practical instead of theoretical. Whether you go with HPE Aruba’s approach or another vendor’s, the shift from location-based to identity-based networking isn’t just another trend. It’s an acknowledgment that our networks need to be as dynamic as the threats they face.

Is any single approach perfect? Definitely not. But it’s a hell of a lot better than managing thousands of static VLANs and hoping your ACLs are right.

And honestly? It’s about time.