The proponents of microsegmentation solutions would love you to believe that it takes no more than somewhat-stateful packet filters sitting in front of the VMs to get rid of traditional subnets. As I explained in my IPv6 Microsegmentation talk (links below), you need more if you want to have machines from multiple security domains sitting in the same subnet – from RA guard to DHCPv6 and ND inspection.
It’s also possible to solve the problem by reducing the size of layer-2 domains to what they were initially supposed to be: links between adjacent nodes (host-to-router links). Would that work in a data center environment supporting VM mobility? Watch the video from the IPv6 microsegmentation webinar to find out.
It looks like I’m the only one talking about IPv6 microsegmentation – all the top hits on Google are links to one or another version of my presentation:
- IPv6 microsegmentation webinar (the most extensive version which also includes sample device configurations)
- Troopers presentation and video
- Interop 2015 presentation and Scott Lowe’s summary
- Go6 presentation
There’s another CliffsNotes version of my webinar floating around the Internet, but as the author took great care to mention me only in passing without including any links whatsoever, I won’t link to his version either. Happy hunting.