Local segmentation and isolation of endpoints
There are multiple ways to deploy a Gateway, depending on the Gateway addressing mode used and the physical connectivity available between the Gateway and the endpoints. The various options are explained below.
Endpoint segmentation and isolation options using a managed switch
With a managed switch in port isolation mode you can use MAC or Destination NAT addressing modes to provide local segmentation of endpoints. Note that destination NAT will allow you to retain the existing IP addresses. Alternatively, VLAN mode can also be used with a dedicated VLAN per port.
Gateway Addressing Mode | Gateway deployment | Endpoint Switch | Downstream isolation (cloaking) of endpoints | Local segmentation of endpoints | Impact to local IP addressing |
|---|---|---|---|---|---|
Destination NAT | In line. Endpoints connected via switch. | Managed switch in port isolation mode. | Yes | Yes | No change to endpoint IP addresses. |
MAC | In line. Endpoints connected via switch. | Managed switch in port isolation mode. | Yes | Yes | Endpoint IP addresses will change. |
VLAN | In line. Endpoints connected via switch. | Managed switch with dedicated VLAN per port | Yes | Yes | VLAN tags are added. Endpoint IP address will change. |
Endpoint segmentation and isolation options using a unmanaged switch
With an unmanaged switch, either of the NAT addressing modes may be used, but there will be no local isolation of endpoints.
Gateway Addressing mode | Gateway deployment | Endpoint Switch | Downstream isolation (cloaking) of endpoints | Local segmentation of endpoints | Impact to local IP addressing |
|---|---|---|---|---|---|
Destination NAT | In line. Endpoints connected via switch. | Unmanaged switch | Yes | No | No change to endpoint IP addresses. |
Source+Destination NAT | Out of line | Unmanaged switch | No | No | No change to endpoint IP addresses. |
Endpoint segmentation and isolation using an appliance with a dedicated downstream interface per endpoint
With sufficient ports on the Gateway appliance to allow for endpoint segmentation, all addressing modes can be used to achieve local segmentation.
Gateway Addressing Mode | Gateway deployment | Downstream isolation (cloaking) of endpoints | Local segmentation of endpoints | Impact to local IP addressing |
|---|---|---|---|---|
Destination NAT Source+Destination NAT | In line. Endpoints directly connected to Gateway | Yes | Yes | No change to endpoint IP addresses. |
MAC | In line. Endpoints directly connected to Gateway | Yes | Yes | Endpoint IP addresses will change |
VLAN | In line. Endpoints directly connected to Gateway | Yes | Yes | VLAN tags are added. Endpoint IP address will change. |