Software Defined WAN (SD-WAN)

New Contributor

SD-Branch AP connected to BGW or Switch and Dynamic Segmentation

For Sd-Branch, dynamic segmentation is the key. For the switch side seems simple and we use "user based tunneling" + clearpass with tunnel termination on local BGW.

For the Wireless part i have some questions since we dont have a wireless controller terminating tunnels and dynamic segmentation the same way as a campus deploy...

1) When we connect the AP to the switch in the branch, the port is configured in port tunnel or user tunnel?

2) Since we dont have a tunnel from AP to BGW (CAP AP), how can we have dynamic segmentation on the wifi, micro-segmentation and control east-west traffic inside wifi and from wifi to switch? Any reference document to help...

3) Where do we configure the policies? On the BGW or AP and recommendations?

4) If we have a remote site with BGW and an unmanaged switch (or one from 3 party) connected to BGW, where should i connect the AP? BGW or Switch? What level of control can i have in each case for the wifi users and mainly if connected: AP-->unSwitch-->Port BGW?



Aruba Employee

Re: SD-Branch AP connected to BGW or Switch and Dynamic Segmentation



1) Usually, Port-Based tunneling is the recommended option for the branches as it simplifies the deployment. All your ports will be tunneled to the gateway except the uplink port.. You will use device-profiles to auto-associate different port profiles to IAPs.. One sample switch configuration is posted here


I suggest you check pages 226-227 in the SD-Branch fundamental guide.


2) Since you will be using port-based tunneling, all your traffic will be forwarded to the gateway. You will be applying the policies there and it will act as the firewall for all traffic..


3) Your device will be assigned a role on the AP and on the gateway.. You thus have the flexibility to apply policies at either.. Usually, applying policies at the gateway is easier..


4) Usually unmanaged switches don't support vlan tagging so if you need to have multiple vlans for your different SSIDs, you will not be able to do it.. In that case, it might be better to connect your IAPs directly to the gateways.. The gateways LAN ports will be configured as untrusted...




Re: SD-Branch AP connected to BGW or Switch and Dynamic Segmentation

How do I apply gateway profiles to wireless user? I guess it's a different VSA from Aruba-User-Role? 


If we want to limit wireless <-> wireless traffic this needs to be done on the AP roles and it's not possible to send traffic to the gateway for processing? In case where users have the same wireless role

New Contributor

Re: SD-Branch AP connected to BGW or Switch and Dynamic Segmentation

Hello Ayman and community,


1) Hi checked fundamentals guide and well documented for SD-WAN but in 229 pages only two to SD-Branch !!!!

It mentions "The configuration requirements for port-based tunneling in the branch is provided in a separate tech note that includes the details for configuring the ArubaOS switches, gateways, and the policies in Aruba ClearPass"


1.1) Where is this document? Any document detailing the full configuration on the Wifi side for the sd-branch?


1.2) For the switch side and port tunnel or user tunnel and with clearpass i see some documents and info but for the wifi side on the branch cant find a clear document with the full design architecture and recommendation? Also, there are additional challenges like stateful dot1x to intercept clearpass roles for the wifi side... Is there any document documenting the full architecture and example and configuration and best practices? I can't find it and for me seems urgent to document it and share it. Anyone?


1.3) For the SD-Branch and having ClearPass centrally i believe that user-based tunneling is always preferred but for the ports where we have APs connected, again my doubt on recommendation and config?


4) Ok. I agree to connect to BGW but in many cases, we have small branches where we put the 4x ports 9400 BGW and customers with Aruba APs and unmanaged switch or other switches that don't support port tunneling. Also, BGW 9400 4x ports don't have PoE...

In that case, i would like to at least have some control and/or visibility on the Wireless side and what is connected.


4.1) Can i configure the APs like IP-VPN or similar so all wifi traffic tunneled to the BGW and overlay and put the policies there?


4.2) Also we have 32x sessions possible in port switches and maybe on BGW. Can we use it in some way to get the result? Limitations?


4.3) At least, in the end, i would say that we can give visibility/fingerprint to devices connected behind an unmanaged switch, if nothing else? Ideas in what we can do at this level and in such a scenario? 




Search Airheads
Showing results for 
Search instead for 
Did you mean: