Link Search Menu Expand Document
calendar_month 15-Mar-23

Aruba ESP Policy Enforcement

Policy enforcement refers to implementing and enforcing user roles and related attributes assigned to a connected user or device based on a predefined security policy.

While the processing and decisions of these policies are made by authentication services such as ClearPass or Central Global Policy Manager, the actual enforcement occurs on the switches, gateways, and Bridge Mode or Microbranch APs.

Table of contents

Authentication and Profiling

The identity of a connected device is established though an authentication event or a profiling result. The identity is associated with a role used for traffic generated by a user or device as long as the network connection is active and/or authentication policy allows connection.

Centralized Enforcement

When building networks using a centralized policy architecture, APs and switches form GRE tunnels to a gateway cluster to which all user traffic is tunneled. Centralized design is effective and efficient for client-initiated, north/south-bound traffic such as that destined for a data center or the Internet. All policy enforcement is performed on the gateways, then assigned a role and switched to an appropriate VLAN.

An authentication server in an 802.1X authentication exchange responds with an assigned role and other attributes, and the gateways in the cluster apply that role to every session initiated by the client.


Aruba gateway clusters provide a high-performance, scalable solution for centralized policy enforcement. A gateway cluster also serves as the primary policy enforcement point with Aruba’s high-throughput Policy Enforcement Firewall and Deep Packet Inspection features.

The illustration below demonstrates a high-level example of centralized wireless policy enforcement performed by an AOS 10 Gateway cluster.

Centralized Wireless Enforcement

Wi-Fi clients associate to a tunnel mode AP that forwards the traffic to the Gateway cluster via a GRE tunnel. The Gateways decapsulate and analyze the traffic, enforce user roles and related attributes based on a predefined IT security policy, then forward the traffic to their corresponding destinations:

  • Security cameras are assigned the Surveillance role that allows communication only with the media server.
  • The laptop associated with a login belonging to a user in the finance department is assigned the Finance role that allows communication with the finance server and the Internet.
  • The Guest role is assigned to the guest phone traffic and is sent to the Internet only.

All the roles are assigned dynamically by the Gateways using Aruba ClearPass or Central NetConductor.


Much like the centralized wireless enforcement diagram, the diagram below demonstrates a high-level example of centralized wired policy enforcement performed by an AOS 10 Gateway cluster.

Centralized Wired Enforcement

With centralized wired enforcement, UBT provides a secure tunnel between Aruba switches and AOS 10 Gateway cluster protecting sensitive data and applications from unauthorized access, similar to a Tunnel Mode AP. A granular policy can be applied to prioritize application traffic and dictate which resources can be accessed, among other things, as part of Aruba’s Dynamic Segmentation. The roles can be assigned by ClearPass or Cloud Auth.

Distributed Enforcement

With a distributed policy architecture, Aruba CX switches form an EVPN-VXLAN overlay fabric. Data traffic is encapsulated in a VXLAN packet that includes a group policy ID (GPID) in the header. This enables policy enforcement on any VXLAN-GBP-aware device configured with a corresponding role and policy.

Distributed policy enforcement implemented in Aruba Central NetConductor provides consistent and efficient policy enforcement in all directions of traffic flow.

The policy enforced on a switch is configured within Aruba Central and downloaded to the switch when it is added to the overlay fabric. The same is done for gateways connected into a NetConductor fabric.


The Aruba CX switch operating system provides a sophisticated suite of Layer 3 capabilities necessary for building highly resilient overlay networks based on EVPN-VXLAN, using the Group Based Policy field of the VXLAN header to carry a Group Policy ID. Each user or device session carried through the fabric is assigned a role ID enabling each switch in the network to enforce role-based policy.

Distributed Enforcement

In the example above, traffic is inspected and policy is enforced locally at each switch or switch stack, for a more efficient data path between source and destination.

  • User roles are applied to each session, permitting each device as defined by the organization’s IT security policy.
  • Surveillance traffic is permitted only between cameras and media servers,
  • Finance users are permitted to communicate with their Finance servers, print servers, and internet.
  • Guests are restricted to only internet access.

The model is configured and supported from Aruba Central’s comprehensive interface.


For the wireless LAN, Gateways and the overlay fabric are connected through a static VXLAN tunnel configured between the Gateways in a cluster and the aggregation switch to which they are connected. This static tunnel ensures that the role ID is communicated between the WLAN and the EVPN fabric by preserving the VXLAN header.

Based on the role ID, gateways enforce policy on traffic using the integrated policy enforcement firewall (PEF).

WLAN in Distributed Enforcement

The animated diagram above demonstrates how client traffic is handled in a distributed enforcement deployment. First, note that EVPN-VXLAN tunnels are built between switch stacks and static VXLAN tunnels between the Gateways and switches in the overlay fabric. GRE tunnels are formed between the AP and Gateways, and client traffic is encapsulated but forwarded through the underlay, not the overlay fabric.

As the first client in the example, the surveillance camera, associates to the AP, its traffic is sent to the Gateway via the GRE tunnel, where it is decapsulated, inspected, and forwarded back out the Gateway interface to the local LAN. It is assigned the Surveillance role and sent through the static VXLAN tunnel and onto its final destination, the media server.

The second client to associate, the Finance user, is processed in the same manner, but based on the IT security policy, it is assigned a Finance role and sent to one of the three permitted destinations.

Last, the guest phone is handled similarly and assigned the Guest role, which allows only internet access.

Currently, only Tunnel Mode is supported in a distributed model.

Back to top

© Copyright 2022 Hewlett Packard Enterprise Development LP. The information contained herein is subject to change without notice. The only warranties for Hewlett Packard Enterprise products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Hewlett Packard Enterprise shall not be liable for technical or editorial errors or omissions contained herein. Aruba Networks and the Aruba logo are registered trademarks of Aruba Networks, Inc. Third-party trademarks mentioned are the property of their respective owners. To view the end-user software agreement, go to Aruba EULA.