Wired Intelligent Edge

I am trying to understand how Aruba does a VXLAN-based microsegmentation solutions and getting stuck understanding how  the solution integrates with access-points. I think I 'get' how role assignment takes place when accessing the network in conjunction with Clearpass and the provisioning in Aruba Central with Netconductor, but I do not understand how this works on the access-points.

Assuming the Access-point is the NAS/NAD which communicates with Clearpass, how do the Edge devices learn about the role of a Wireless client? Is the solution to tunnel all users to the gateway. 

Hope someone can point me to a deepdive document that runs through the architecture. 

I think I found my answer in this document https://www.arubanetworks.com/techdocs/central/2.5.6/content/pdfs/aruba-central-netconductor.pdf

It states that the Wireless infrastructure is not participating in the GBP enabled microsegmentation solution. And that all traffic is tunneled to the Gateways.

I hope that Aruba will follow other vendors and does allow for APs to participate in the VXLAN fabric/role enforcement to allow for more optimal traffic flows.

I am trying to understand how Aruba does a VXLAN-based microsegmentation solutions and getting stuck understanding how  the solution integrates with access-points. I think I 'get' how role assignment takes place when accessing the network in conjunction with Clearpass and the provisioning in Aruba Central with Netconductor, but I do not understand how this works on the access-points.

Assuming the Access-point is the NAS/NAD which communicates with Clearpass, how do the Edge devices learn about the role of a Wireless client? Is the solution to tunnel all users to the gateway. 

Hope someone can point me to a deepdive document that runs through the architecture. 

Martijn,

If you have a good thoughts how VXLAN on the APs would improve security, maintainability or other factors, please reach out to your local Aruba Team. With gateways (that can participate in VXLAN/GBP) you have a much simpler and more scalable solution that provides micro-segmentation, statefullness, role-role, but in addition application control/visibility, QoS. Management/monitoring is also much easier with a centralized data path. With bridged networks (AOS10), you can do quite some similar without gateways or VXLAN. Not sure why other vendors do this (can't speak for them, nor I can for Aruba), except for that it sounds reasonable or logical.

I think I found my answer in this document https://www.arubanetworks.com/techdocs/central/2.5.6/content/pdfs/aruba-central-netconductor.pdf

It states that the Wireless infrastructure is not participating in the GBP enabled microsegmentation solution. And that all traffic is tunneled to the Gateways.

I hope that Aruba will follow other vendors and does allow for APs to participate in the VXLAN fabric/role enforcement to allow for more optimal traffic flows.

I am trying to understand how Aruba does a VXLAN-based microsegmentation solutions and getting stuck understanding how  the solution integrates with access-points. I think I 'get' how role assignment takes place when accessing the network in conjunction with Clearpass and the provisioning in Aruba Central with Netconductor, but I do not understand how this works on the access-points.

Assuming the Access-point is the NAS/NAD which communicates with Clearpass, how do the Edge devices learn about the role of a Wireless client? Is the solution to tunnel all users to the gateway. 

Hope someone can point me to a deepdive document that runs through the architecture.