Link Search Menu Expand Document
calendar_month 25-Apr-24

Table of contents

Architecture Overview

The Aruba Edge Services Platform (ESP) Campus enables the design of flexible and highly reliable networks that ensure efficient access to applications and data for all authorized users while simplifying operations and accelerating service delivery.

Innovations in high availability combined with upgraded simplicity and programmability provide a best-in-class industry network solution for modern organizations.

Aruba ESP is an evolution of Aruba’s end-to-end architecture, delivering a unique unified infrastructure that can be managed centralized using Artificial Intelligence Operations (AIOps) to achieve Zero Trust Security while improving user experience.

Aruba ESP is the industry’s first platform that is built specifically to meet emerging requirements of the Intelligent Edge.

**ESP Architecture**

Aruba ESP Campus includes the following key features and capabilities:

  • Modern Connectivity: Design efficient and scalable networks using the full range of port densities and speed options available in the Aruba CX 6xxx and CX 8xxx switch families.
  • Automation: Automated network configuration makes building high-performance, scalable campus networks more efficient and less error prone.
  • Analytics: On-box and cloud analytics ensure that alerts are never missed and that intermittent failures are diagnosed quickly.
  • Wireless Networking: The latest, high-speed WiFi standards and advanced radio designs ensure high-capacity and high-reliablity mobile connectivity.
  • Access Control: Colorless Ports and ClearPass Policy Manager provide efficient, dynamic device and user authentication onto the network.

Aruba ESP includes a wide scope of built-in management services, including onboarding, provisioning, orchestration, security, analytics, location tracking, and management. AI Insights reveal issues before they impact users. Intuitive workflow-centric navigation enables the organization to accomplish tasks quickly and easily using views that present multiple dimensions of correlated data. Policies are created centrally, and features such as Dynamic Segmentation allow the network administrator to implement them over an existing infrastructure. To ensure reliability, power, and flexibility, Aruba ESP architecture is built in distinct layers, as shown in the following figure.

**ESP Layers**

Aruba ESP Campus Connectivity Layer

The connectivity layer for the Aruba ESP campus is implemented on Aruba CX Ethernet switches that provide low latency and high bandwidth on a fault-tolerant platform designed to carry campus traffic from the access layer to the core. Wireless connectivity is provided using industry leading access points (AP) and gateways, with options for tunneling traffic to centralized gateways or for bridging locally at the AP.

Underlay Network

When the connectivity layer is described as an underlay network, this implies its primary function is to carry virtual overlay networks. The underlay network should be designed to use Layer 3 links, and ECMP routing is implemented as a Layer 3 routed network. Aruba ESP uses OSPF as the underlay routing protocol.

Aruba ESP Campus Policy Layer

The policy layer for the Aruba ESP campus is implemented using overlay technology and traffic filtering mechanisms to isolate user and application traffic. Data traffic can be tunneled back to a gateway cluster for centralized enforcement, or it can be handled within a switch fabric that provides policy enforcement at every node in the network.

ClearPass Policy Manager is typically used to integrate the network authentication interface (RADIUS) into a user database (LDAP) and to define user roles with associated policies that are enforced within the network. Device Insights ensures that the endpoint security posture is determined in real time from information gathered directly from the network.

Aruba ESP’s powerful policy management is operated independently from the network’s IP design. Traffic tunneled to a gateway cluster is tagged at ingress with a user role that determines how the traffic is treated by the gateway during forwarding. Traffic in a distributed fabric is tagged using the VXLAN-Group Based Policy (GBP) feature to assign a role ID to every frame in the fabric ensuring consistent policy enforcement across LAN, WLAN, and WAN.

Overlay Network

Aruba ESP centralized overlays are implemented using the Generic Routing Encapsulation (GRE) protocol. This enables an access layer switch to tunnel client traffic back to a gateway cluster for policy enforcement.

Aruba ESP distributed overlays are implemented using VXLAN tunnels that provide both Layer 2 and Layer 3 virtualized network services to endpoints attached to edge switches. A VXLAN Network Identifier (VNI) is used to identify Layer 2 and Layer 3 segments in a VXLAN overlay topology. Symmetric Integrated Routing and Bridging (IRB) supports ubiquitous Layer 2 forwarding and Layer 3 routing throughout the overlay.

**VXLAN Frame**

A VXLAN Tunnel End Point (VTEP) is the function within edge and border switches that handles the origination and termination of point-to-point tunnels forming an overlay network. A single logical VTEP is implemented when redundant switches are deployed in a rack. Aggregation and core switches provide IP transport for the overlay tunnels but do not participate in the encapsulation/decapsulation of VXLAN traffic.


Attached hosts are learned at the edge switch using Ethernet link layer protocols. Remote learning across the VXLAN fabric is accomplished using Multiprotocol Border Gateway Protocol (MP-BGP) as the control plane protocol and the Ethernet virtual private network (EVPN) address family for advertising host IP and MAC prefixes. This approach minimizes flooding while enabling efficient, dynamic discovery of remote hosts within the fabric.

Aruba ESP Campus Services Layer

The Aruba ESP campus solution is built around the Aruba Central cloud platform. Central delivers a cloud management and services delivery platform for the end-to-end Aruba ESP solution. Central also provides an AI-driven platform for automation workflows such as Aruba Central NetConductor, to simplify deployment of an EVPN-VXLAN overlay fabric and role-based access policy.

Most organizations purchase and deploy Aruba gateways, switches, and APs using Central as the management platform. When large organizations require it, the ESP services layer can be deployed on-premise or in a private cloud. Organizations that operate the network as a managed service can deploy it through HPE GreenLake for Aruba.

Aruba Central

Aruba Central simplifies the deployment, management, and optimization of WLAN, LAN, VPN, and SD-WAN. This eliminates the time-consuming manual process of moving information from one management platform to another or trying to correlate troubleshooting information across multiple views. Central is the “single pane of glass” for Aruba ESP. The use of integrated AI-based ML, IoT device profiling for security, and Unified Infrastructure management accelerates the edge-to-cloud transformation for today’s Intelligent Edge.

Central Key Features:

  • Cloud-native enterprise campus WLAN software
  • AI Insights for WLAN, switching, and SD-WAN
  • Advanced IPS/IDS threat defense management
  • Mobile application-based network installation
  • Unified management for access and WAN edge
  • Live chat and an AI-based search engine
  • Cloud, on-premises and as-a-service (aaS) options.

Central is a cloud-native microservices-based platform that provides the scalability and resilience needed for critical environments. Compared to an on-premise solution, Central is more adaptive, predictable, and horizontally scalable with built-in redundancy. Central also provides seamless access to Aruba ClearPass Device Insight, Aruba User Experience Insight (UXI), and Aruba Meridian to furnish significant capabilities to leverage AI/ML and location-based services for network visibility and insight.

Workflow-based configurations within Central enable efficient, error-free deployments of Aruba solutions anywhere in the world. The workflows are based on common best-practice approaches to network configuration. They enable new devices to come online quickly using new or existing network configurations.


Aruba AIOps, driven by Aruba Central, eliminates manual troubleshooting tasks, reduces average resolution time, and automatically discovers network optimizations. Aruba’s next-generation AI uniquely combines network- and user-centric analytics to identify and inform staff of anomalies.

AI Insights are available to monitor connectivity performance, radio frequency (RF) management, client roaming, airtime utilization, and wired and SD-WAN performance. Each insight is designed to reduce the number of trouble tickets and ensure that service-level agreements (SLAs) are met by addressing network connectivity, performance, and availability challenges.

AI Assist uses event-driven automation to trigger the collection of troubleshooting information to identify issues before they impact the business. Log information is automatically provided to IT staff as part of event reporting and can be shared easily with Aruba TAC for expedited root cause determination and remediation.


ClearPass Policy Manager provides role- and device-based secure network access control for Internet of Things (IoT) devices, bring your own device (BYOD), and corporate devices and for all employees, contractors, and visitors across wired, wireless, and VPN infrastructure. With a built-in context-based policy engine, RADIUS, TACACS+, non-RADIUS enforcement using OnConnect, device profiling, posture assessment, onboarding, and visitor access options, ClearPass is unrivaled as a foundation for network security for organizations of any size.

ClearPass also supports secure self-service capabilities, making it easier to access the network. Users can securely configure their own devices for enterprise use or Internet access based on administrative policy controls. Aruba wireless customers get unique integration capabilities, such as AirGroup, as well as ClearPass Auto Sign-On (ASO). ASO passes the users’ network authentication automatically to their enterprise mobile apps, so they can get right to work.

ClearPass Policy Manager Key Features:

  • Role-based, unified network access enforcement across multi-vendor networks
  • Intuitive policy configuration templates and visibility troubleshooting tools
  • Support for multiple authentication/authorization sources (AD, LDAP, SQL)
  • Self-service device onboarding with built-in certificate authority (CA) for BYOD
  • Visitor access with extensive customization, branding, and sponsor-based approvals
  • Integration with key UEM solutions for in-depth device assessments
  • Comprehensive integration with the Aruba 360 Security Exchange Program.

ClearPass is the only policy platform that can provide centralized enforcement for all aspects of enterprise-grade access security for any industry. Granular policy enforcement is based on a user’s role, the device type and its role, authentication method, UEM attributes, device health, traffic patterns, location, and time of day. Deployment scalability supports tens of thousands of devices and authentications, surpassing the capabilities of legacy AAA solutions. Options are available for small, medium, or large organizations and for centralized, distributed or combination environments.

Client Insights

Networks have become increasingly complex, due in part to the adoption of IoT devices that can be difficult to detect and manage. To achieve mobile and IoT operational efficiency, many organizations deploy a range of devices without fully understanding the security and compliance implications.

Aruba Client Insights provides visibility across the network by intelligently discovering and profiling all connected devices. Client Insights identifies detailed attributes, such as device type, vendor, hardware version, and behavior including applications and resources accessed. Organizations can create more granular access policies, reduce security risks, meet key compliance requirements, and make better informed network access control decisions.

Integration with Central and ClearPass Policy Manager delivers comprehensive policy control and real-time enforcement. This makes the visibility provided by Client Insights highly usable and increases the overall level of security and compliance for all devices connected to the network.

User Experience Insight

Aruba User Experience Insight (UXI) is a cloud-based service assurance solution that validates network health and troubleshoots problems affecting day-to-day user experience. Ideal for campus and branch environments, UXI assumes the role of a user to evaluate the performance, connectivity, and responsiveness of the network as well as services, such as corporate ERM or Microsoft applications. This outside-in perspective is presented on a simple, intuitive dashboard that provides a proactive tool to identify and solve problems before they impact the business. UXI is easy to configure, deploy, and manage, and it begins to provide insights immediately as soon as sites are online.

Additional ESP Service Capabilities

The nature of Central as a services platform means capabilities can be added without infrastructure upgrades or significant design overhauls in a customer’s environment.

Live Upgrade is an Aruba solution that uses network telemetry data to understand how the network can be upgraded with the least impact. It then coordinates upgrades among clients and hardware to minimize the need for maintenance windows and downtime.

AI Insights is a capability in Central that quickly identifies, categorizes, and resolves issues that would impact client onboarding, connectivity, and network optimization. These insights provide clear descriptions of the detected issue, data visualizations, recommended fixes, and contextual data to determine the overall impact. AI Insights uses ML-based network analytics to deliver optimization recommendations for mobile workers and wireless and IoT devices. Data from multiple sources, including the wireless infrastructure, DHCP, and authentication servers, are gathered in an on-site data collector. Compressed data are sent via a secure tunnel to the AI Insights cloud instance, where ML-based models that incorporate Aruba’s extensive Wi-Fi expertise analyze network connectivity and performance.

A web-based dashboard displays insights, root cause analysis, and recommendations to fix immediate and foreseeable performance issues. Aruba 5xx series APs work seamlessly with AI Insights to power down automatically when demand ceases and power up when demand returns. AI Insights uses predictive analytics and ML to identify usage patterns. After a brief learning period, AI Insights can predict when demand will stop and start.

AI Assist is the always-on technical assistant that helps augment network operations. AI Assist uses event-driven automation to collect and post relevant data for the internal help desk and the Aruba Technical Assistant Center. Centralizing all the data about an issue in a single source eliminates the need for multiple analytical tools. Everything is displayed in context, in a single view, so problems can be resolved more quickly.

AirGroup is an Aruba solution that aids with mDNS- and SSDP-style discovery protocols across VLANs. AirGroup also enables a group of these devices to be accessed from any client location or VLAN. AirGroup interfaces with outside components to provide enterprise-level control over devices or technology not specifically designed for the enterprise.

Air Slice enables Aruba Wi-Fi 6 APs to prioritize client traffic at the radio level. This service is transparent to the client and has no integration or standards requirements, unlike older solutions. Air Slice tightly integrates into the DPI firewall capabilities of the AP, so Air Slice policies can be created and based on applications instead of ports and IP addresses.

AirMatch provides automated RF optimization by adapting dynamically to the ever-changing environment. In Aruba ESP, the AirMatch service is moved to Central, which is capable of computing and deploying RF allocation to APs across the network. The AirMatch service receives telemetry data from APs for radio measurements, channel range, transmit power range, operational conditions, and local RF events such as radar detection or high noise.

ClientMatch is the feature that made Aruba the first networking vendor to offer AI/ML capabilities. ClientMatch optimizes the client association by continuously scanning the wireless environment and sharing information about the clients and the APs. Based on the dynamic data, clients are steered to the most suitable AP, with no required software changes in the clients.

Back to top

© Copyright 2024 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.