Aruba Dynamic Segmentation

Aruba BLOG

Anybody with experience configuring Aruba Mobility Controllers would be aware of how powerful the inbuilt DPI (Deep Packet Inspection) capable stateful firewall is. In a wireless infrastructure, majority of the time, the access points are deployed in tunnel mode which means all client traffic is tunnel from the AP to the controller via GRE encapsulation. The client traffic is decapsulated at the controller and then run through the policies in the user role which could contain rules drilling all the way down to the application layer. The traffic may then be permitted or denied based on the policy configuration. Since the inbuilt firewall is both powerful and efficient, this removes the need for an external enterprise grade firewall which is good news for your WiFi network. However, what about the traffic from your wired clients like IP phones, iOT devices and laptops?


Dynamic Segmentation simplifies and secures wired and wireless networks by establishing the Mobility Controller as a unified policy enforcement engine. Traffic from AP’s and switches are encapsulated in GRE tunnels for inspection by the controller Policy Enforcement Firewall (PEF).



Key Benefits:


  • Removes the need for an external enterprise grade firewall
  • Unified and centralized policy management on the Aruba Mobility Controller for both wired and wireless clients
  • Dynamic application of polices for users no matter where they connect to on the network, be it any access switch or WiFi. In a nutshell – network follows the user
  • Save time configuring your access switches by pushing down the user role with VLAN mapping from the Clearpass Policy Manager


Technologies involved:


  • Per Port Tunneled Node (PPTN):

The PPTN concept involves configuring the controller as the tunneled node server on the switch so that a GRE tunnel is established from the switch to the mobility controller. However, the difference here is that client traffic would be tunneled from a port level and not a user role level. This means that irrespective of who the client connected to the port is or the role that he/she is placed in, the traffic would be tunnel from the switch to the controller.


  • Per User Tunneled Node (PUTN):


The PUTN concept involves configuring the controller as the tunnel node server on the switch just like we would do with PPTN. In addition to this, configure tunnel node redirect on the user role as a means of instructing the switch that traffic from all clients being placed in this role should be tunneled to the controller. Based on the traffic policies configured on the controller user-role, the data traffic from the wired client(s) would be permitted or denied. This is a more dynamic method compared to PPTN since the traffic would be tunneled for this client no matter which switch he/she connects to in the network as long as they are placed in the same role. This role can either be configured on the switch locally or can be downloaded from the Clearpass server once the client completes authentication. When Clearpass is integrated, the user role must be configured only once on the Clearpass server and will be downloaded on all access switches dynamically as and when the client(s) authenticate.

Scroll to Top