Dynamic Segmentation enables Aruba switches to tunnel traffic (all traffic or the traffic of particular clients) to Aruba controllers.

Dynamic Segmentation includes the following:
  • User-Based Tunneling tunnels client traffic on the basis of user roles. This ability to dynamically tunnel traffic is powerful, and when used correctly, can help in solving several deployment problems that are prevalent in legacy campus networks. The policies associated with the client can be driven through a RADIUS server, a downloaded role from ClearPass, or by local MAC authentication in the switch. Many devices that require Power over Ethernet (PoE) and network access, such as security cameras, printers, payment card readers, and medical devices, do not have built in security software such as those on desktop or laptop computers. These devices can pose a risk to networks with the lack security on the device. User-Based Tunneling can authenticate these devices using ClearPass, and tunnel the client traffic, utilizing the advanced firewall and policy capabilities in the Aruba Mobility Controller. For providing secure access to IoT devices within the Aruba Intelligent Edge wired network, controller clustering is available in ArubaOS For more information, see User-Based Tunneling.

  • Port-Based Tunneling allows the Aruba switch to tunnel traffic to an Aruba Mobility Controller on a per-port basis. All traffic on a configured switch port is statically tunneled to an Aruba Mobility Controller. For more information, see Port-Based Tunneling.

Tunneling is enabled in the Aruba user role and can be combined with the Downloadable User Role (DUR) feature for dynamic and flexible policy enforcement and segmentation.


Maximum supported user tunnels per switch or stack: 1024

Maximum supported user tunnels per port: 32