Port-Based Tunneling

In a traditional campus network, wireless traffic is encapsulated between the access point and controller using a tunnel. With Port-Based Tunneling on the Aruba switches, a similar implementation is done using the same mechanism with an Aruba Mobility Controller. In essence, a wired port becomes a “wired AP”. Each switch port can then be individually configured to create a single tunnel to the Mobility Controller. However, at the Mobility Controller, each tunneled node port is seen as separate tunnel to provide more granular visibility, as each tunnel has a unique GRE key. By tunneling traffic to the Mobility Controller, in Port-Based Tunneling, authentication and network policies are applied and enforced at the controller-side for tunneled, wired traffic. This simplifies configuration on the switch and centralizes policies at the Mobility Controller. Port-Based Tunneling allows using the same enforcement options for wired and wireless clients. This includes stateful session processing, deep packet inspection, URL filtering, and bandwidth contracts.

The main purpose of Port-Based Tunneling is to use the Mobility Controller as a unified policy enforcement point for traffic from both wired and wireless clients.

If the Mobility Controller is not reached by the Aruba switch, the user can fall back to local switching, which allows the tunneled ports to communicate with the other ports in the same VLAN.
  • Port-Based Tunneling is configured on a per-port basis. Traffic to and from ports that is not configured as tunneled is forwarded using the standard layer switching technology.

  • An ArubaOS-switch can be configured with a main and a backup tunnel termination controller called “tunneled-node server”.

  • Port-Based Tunneling does not support HA and load balancing over an Aruba Mobility Controller Cluster compared to User-Based Tunneling.