Traffic Segregation was introduced in 7.2R1 and is a feature only available for Virtual Appliances. It was designed for service providers to have an option to send AAA traffic over the management port instead of the internal port. This allows the service provider AAA infrastructure to be hosted on a different network than their customer's AAA infrastructure.
When this option is enabled, the device will send all AAA traffic via management port. The following traffic will be sent when traffic segregation is enabled:
- Active Directory
- Certificate authentication including CRL / OCSP verification
- AAA DNS Traffic
- System logging (syslog)
Traffic segregation does not support NIS or ACE authentication servers.
Special consideration needed for customers using certificate authentication with CRL or OCSP validation:
If CRL or OCSP validation is enabled and traffic segregation feature is enabled, the following traffic will be considered as AAA traffic and sent through the management port. If CRL or OCSP service is not reachable through the management network, end user will fail authentication due to failed CRL or OCSP check.
Another option is to use the Default Network and the internal interface for the service provider's customer network and the service provider configures the Administrative Network for their administrator access via the management port, see Configuring AAA Traffic Through Both the Internal and Management Ports
for more details.