Martijn,
If you have a good thoughts how VXLAN on the APs would improve security, maintainability or other factors, please reach out to your local Aruba Team. With gateways (that can participate in VXLAN/GBP) you have a much simpler and more scalable solution that provides micro-segmentation, statefullness, role-role, but in addition application control/visibility, QoS. Management/monitoring is also much easier with a centralized data path. With bridged networks (AOS10), you can do quite some similar without gateways or VXLAN. Not sure why other vendors do this (can't speak for them, nor I can for Aruba), except for that it sounds reasonable or logical.
------------------------------
Herman Robers
------------------------
If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check
https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
In case your problem is solved, please invest the time to post a follow-up with the information on how you solved it. Others can benefit from that.
------------------------------
Original Message:
Sent: Jul 10, 2024 02:02 PM
From: mvanoverbeek
Subject: VXLAN GBP deployment and access-points
I think I found my answer in this document https://www.arubanetworks.com/techdocs/central/2.5.6/content/pdfs/aruba-central-netconductor.pdf
It states that the Wireless infrastructure is not participating in the GBP enabled microsegmentation solution. And that all traffic is tunneled to the Gateways.
I hope that Aruba will follow other vendors and does allow for APs to participate in the VXLAN fabric/role enforcement to allow for more optimal traffic flows.
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
Original Message:
Sent: Jul 10, 2024 12:06 PM
From: mvanoverbeek
Subject: VXLAN GBP deployment and access-points
I am trying to understand how Aruba does a VXLAN-based microsegmentation solutions and getting stuck understanding how the solution integrates with access-points. I think I 'get' how role assignment takes place when accessing the network in conjunction with Clearpass and the provisioning in Aruba Central with Netconductor, but I do not understand how this works on the access-points.
Assuming the Access-point is the NAS/NAD which communicates with Clearpass, how do the Edge devices learn about the role of a Wireless client? Is the solution to tunnel all users to the gateway.
Hope someone can point me to a deepdive document that runs through the architecture.
------------------------------
Martijn van Overbeek
Architect, Netcraftsmen a BlueAlly Company
------------------------------