Wireless Access

Occasional Contributor II

Mobility controller vlan

Hi guys,


Let me first wish a merry christmas to all of you!

Well, i'm about to propose a WLAN solution based on Aruba networks equipments, i would like to have a setup where the Mobility controller would just handle the management of the APs (RF, Wi-Fi security, transmission power, etc.) so this trafic (communication between APs and the controller) would be carried by the MANAGEMENT VLAN. 

On another hand, the users would get their IP address from a router/Firewall (the default gateway) and the user traffic (data traffic) will be forwarded directly to the router that act as the default gateway, this traffic will be carried by the USER VLAN.

In other words, i don't want the controller to be in the path of the user traffic. I've read the Aruba mobility controller VRD but did not find (or did not understand :)) this kind of setup. 


1) is it possible to have this configuration?

2) If so, does it have a specific name, is there any document that explain that?


I've attached a figure that shows what i'm asking about. (you will see that the controller is not physically on the path of the the user trafic)


Many thanks in advance for you help!!!


Super Contributor II

Re: Mobility controller vlan

Without going into details, what you are proposing is a Bridge mode SSID - if you read up on this in the user guide it should help. If you need an more specifics please post for fuurther details.

Contributor I

Re: Mobility controller vlan

Yes it is possible. You can make a USER VLAN with no IP. Map the SSID VAP prof to the user VLAN and ensure you have the user VLAN in the trunk / uplink of your controller.

The controller will only have one mgmt ip which is also the controller ip on the MGMT VLAN. Same as AP VLAN.

This way the user default gateway will be your firewall and the wireless user will go straight to the firewall through the controller. Assuming all the authentication and routing is correct with DHCP in place on your USER VLAN / network.

This type of deployment is called layer 2 deployment.
Valued Contributor II

Re: Mobility controller vlan

Hi friend,


Your requirement can be justified by using Aruba L2 deployment model.


Client traffic will hit the controller when you bring up a SSID in tunnel mode ( Client traffic will go through the GRE),

If you bring up the SSID in bridge mode, client traffic will not directly hit the Controller because in bridge mode there will not be any GRE for that BSSID.


You can choose the bridge mode as shown bellow,





If the SSID is in the bridge mode, Controller will be in the L2 deployment :




You can choose the VLAN for that client traffic as shown bellow ,



So once a client associated to the SSID ( Bridge Mode) then it will send a DHCP discovery in the mapped VLAN.


If you have configured the IP helper properly on the gateway, Client will get the IP from the respective VLAN.


Therefore here the controller is just taking care of APs nothing else.


Hope got clarity on this,


Please feel free for any further help on this,

Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]

Re: Mobility controller vlan

as you know the mobility controller can act as layer 2 or layer 3 switch,

if you want to use the router as default gateway you can , the controller than act as bridge (wireless L2 Switch) , but in this case the traffic will go to the controller and then to the core switch , because the traffic will be encapsulate in a gre tunnel.

the bridge forward mode is not very useful because you lose the visibility of the traffic, it is generally used for “domestic traffic”, and not for the professional .

ICT Network & Security Engineer

[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Occasional Contributor II

Re: Mobility controller vlan

Hi Guys,


Thank you for your answers, I see that the bridge mode is not really a recommended option as i'm going to loose trafic visibility and will have to handle all the security stuff on my own.


Actually, I'm about to propose a solution for an Aruba WLAN network across many branches (6 locations), each one of them will have like 30 AP for proper radio coverage and I was a bit confused regarding the forwarding mode that i shoul be using, I'm hesitating between two options:

1) having a local controller on each location (branch) for the 30 APs: that would be easy to deploy but will be quite costly option as i will need 6 controllers.

2) having one (or two) centralized controller for all the branches: in this case, i think that the bridge mode will be useful as the user trafic would not have to flow through the controller.


I don't consider using the RAP option.


What deployment model do you suggest guys? have anyone deployed like this architecture before??


Many thanks again for your help!!

Valued Contributor II

Re: Mobility controller vlan



For your deployment Master local is the idle setup coz you are going to deploy about 30 APs at each location.

If you are looking for a cost effective solution go with  IAP deployment at each location and if you want centralised authentication  bring up VPN between IAP cluster and the Controller.


Please feel free for any further query on this.

Venu Puduchery,
[Is my post helped you ? Give Kudos :) ]

Re: Mobility controller vlan

it does also depend on what your traffic flows are as well.  Where are the resources and internet breakout located?  If everything (including internet) goes to the central site, then it is perfectly reasonable to have just the central controller and tunnel everything.


As Venu mentioned, the IAP with VPN to central controller is also another solution worth considering, if you need things like local internet breakout.

If my post is helpful please give kudos, or mark as solved if it answers your post.

ACCP, ACCX #817, ACMP, ACMX #294

Re: Mobility controller vlan


I think that the Local/Master architecture is the best for you case, because you will manage the all the AP from the master , and you will get a global visibility of all your WLAN networks , and there will be only the parameter and synchronization traffic exchange between the master and the locals controllers.

il you chose the RAP you will need a strong bandwidth ( if we suppose that every RAP need 2 mbps , you will need 60 mbps per branch office and 60 mbps for each branch office in the HQ).

IAP with Airwave can be a good solution, if it cost less, but I’m not sure :)


  • Regards



ICT Network & Security Engineer

[If my post is helpful please give kudos, or mark as solved if it answers your post.]
Search Airheads
Showing results for 
Search instead for 
Did you mean: