TTechclick All lessons
HPE Aruba Networking · Platform · ArchitectureInteractive · L1 / L2

HPE Aruba Architecture & Aruba Central — AOS 8 vs 10, Cloud vs Controller

One vendor, two completely different brains. AOS 8 runs an on-prem Mobility Conductor and controllers. AOS 10 deletes the controller and runs the whole network from cloud-based Aruba Central. Skip the slide-ware — see both stacks, watch an AP onboard live, and pick the right one.

📅 2026-05-31 · ⏱ 11 min · 3 interactive demos · 🏷 10-Q assessment + AI Tutor inline
Explain like I'm a…
New to Wi-Fi lane: Think of Aruba as a chain of coaching centres. AOS 8 = one big principal's office (Mobility Conductor) on campus controlling every branch. AOS 10 = the principal moved to a cloud HQ (Aruba Central) and each branch just needs internet to get its instructions. Same school, new head office.
Practitioner lane: Focus on forwarding modes (Bridge / Tunnel / Mixed), the gateway cluster + Switch-IP requirement, and the AOS 8→10 "recreate config in Central" reality. The CLI/dashboard blocks below are copy-paste accurate.
Architect lane: Weigh data-plane locality vs management centralisation, N+1 vs 2N gateway redundancy, L2 vs L3 cluster scope, Central SaaS vs On-Premises (FIPS), and the PAPI/UDP-8211 attack surface before you commit a migration plan.

⚡ Quick Answer

HPE Aruba architecture made visual — see how AOS 8 (Mobility Conductor + Controllers) differs from AOS 10 (cloud-native Aruba Central + gateway clusters), watch an AP onboard live, and decide cloud vs controller in 11 minutes.

By the end of this lesson you will be able to…

Pick your path — jump straight to it

1

AOS 8 Stack

Mobility Conductor + Mobility Controllers. The classic on-prem hierarchy.

 2

AOS 10 + Central

No controller. Cloud brain + gateway clusters. Watch an AP onboard.

 3

Forwarding Modes

Bridge vs Tunnel vs Mixed — the choice that defines your data plane.

 4

Cloud vs Controller

Decision map + migration gotchas + the PAPI security trap.

The wrong answer everyone gives first

Ask a fresher "what is Aruba's architecture?" and they say: "controller + access points, like Cisco." That was true in 2018. It is half-wrong in 2026. Aruba now ships two operating systems with two completely different control planes, and confusing them is the fastest way to fail an interview or break a migration.

S
Sneha at Infosys inherited 240 APs. She assumed "Aruba = controller", logged into the old Mobility Conductor, and tried to add a new AP model. It refused — because the new APs had shipped in AOS 10 mode and only talk to Aruba Central. Two architectures, one site. That confusion is exactly what this lesson kills.

Here is the truth in one line. AOS 8 = an on-prem brain (Mobility Conductor) commanding controllers. AOS 10 = a cloud brain (Aruba Central) commanding lightweight gateways. Same APs can run either OS — the OS decides who is the boss.

AOS 8 vs AOS 10 architecture side by side Left column shows AOS 8 with an on-prem Mobility Conductor over Mobility Controllers over access points. Right column shows AOS 10 with cloud Aruba Central over gateway clusters and access points connected only by TCP 443. Two Aruba Architectures, One Vendor AOS 8 — On-Prem Brain Mobility Conductor on-prem · hierarchical config Controller 7200 series Controller standby (HA) AP AP AP Needs SNMP · AMON · IPsec between Aruba appliances on-site AOS 10 — Cloud Brain Aruba Central cloud / VPC / on-prem TCP 443 only Gateway Cluster 9200 / 9240 · data plane only AP AP AP Zero-Touch Provisioning plug in → pull config from cloud The one-line difference AOS 8 = brain lives in your rack. AOS 10 = brain lives in the cloud, controller is deleted, gateways only push packets.
Figure 1 — The same access points, two different bosses. The control plane moved from your rack (AOS 8) to the cloud (AOS 10).
🧠
Control plane
tap to flip

Where decisions are made. AOS 8 = Mobility Conductor on-prem. AOS 10 = Aruba Central in the cloud. Config, upgrades and monitoring all live here.

🚚
Data plane
tap to flip

Where packets actually move. AOS 8 = Mobility Controller terminates tunnels. AOS 10 = gateway cluster (or the AP itself in Bridge mode).

🗂
Config model
tap to flip

AOS 8 = hierarchical, pushed top-down from the Conductor. AOS 10 = UI groups + templates in Central, applied to AP groups and gateways.

🔌
Connectivity
tap to flip

AOS 8 needs SNMP, AMON and IPsec between appliances. AOS 10 mostly needs only TCP 443 from each device to Central.

Quick warm-up — 3 predictions before we dive

Answer these from gut feel. You'll see all three again, fully explained, by the end.

Warm-up · 1 of 3

In AOS 10, which component is deleted compared to AOS 8?

Correct: b. AOS 10 removes the Mobility Conductor and pushes management to cloud-based Aruba Central. Gateways still exist for the data plane, but the on-prem management brain is gone.
Warm-up · 2 of 3

Roughly which single port carries most AOS 10 device-to-Central management traffic?

Correct: c. Most AOS 10 deployments only need TCP 443 between each managed device and Aruba Central — a big simplification over AOS 8's SNMP + AMON + IPsec mesh. (UDP 8211 is PAPI — and that's a security concern we'll cover.)
Warm-up · 3 of 3

In AOS 10 Bridge mode, where does client traffic exit the network?

Correct: a. Bridge mode bridges client traffic locally out the AP's uplink onto the assigned VLAN — no gateway needed. Tunnel/Mixed modes send traffic to a gateway cluster instead.

① The AOS 8 stack — the on-prem hierarchy

AOS 8 is a top-down hierarchy. At the top sits the Mobility Conductor, which stores one master configuration and pushes it down a tree of Mobility Controllers. The controllers terminate the AP tunnels, run firewall/role policy, and handle client roaming. APs are relatively thin — they trust the controller for almost everything.

R
Rahul at TCS runs a classic AOS 8 site: one Conductor VM, a pair of 7200 controllers in HA, 180 APs. When he changes the guest SSID once on the Conductor, it cascades to both controllers automatically. That cascade is the beauty — and the lock-in — of the hierarchy.

The catch: this model assumes everything lives in your data centre. The Conductor, the controllers and the APs all need to reach each other with SNMP, AMON (Aruba's telemetry) and IPsec. That's a lot of east-west trust inside one site, and it does not stretch cleanly across the internet.

Pause & predict: In AOS 8, if the Mobility Conductor goes offline, do the existing wireless clients drop?

No — not immediately. The Conductor is the config brain, not the data path. Clients are served by the controllers, which keep forwarding using their last-known config. You lose central config/management until the Conductor returns, but live sessions survive. This is exactly why people don't panic when the Conductor reboots — but they do panic when a controller fails without HA.
AOS 8 control plane versus data plane flow Config flows downward from Mobility Conductor to controllers to access points, while client data flows upward from a client through the access point tunnel to the controller and out to the network core. AOS 8 — Two Flows, Opposite Directions ▼ CONFIG (top-down) ▲ CLIENT DATA (up) Mobility Conductor Mobility Controller Network Core / VLANs Access Point (thin) 📱 Wi-Fi Client SNMP/AMON/IPsec GRE/IPsec tunnel
Figure 2 — In AOS 8, config rains down from the Conductor while client data tunnels up to the controller. Two flows, two directions.
Quick check · Q1 of 10

In an AOS 8 deployment, which device terminates the AP tunnels and enforces role/firewall policy for wireless clients?

Correct: b. In AOS 8 the Mobility Controller is the data-plane workhorse — it terminates AP tunnels and runs policy. The Conductor (option c) is only the config brain; it doesn't carry client traffic. That's the AOS 8 control-vs-data split.

② AOS 10 + Aruba Central — the cloud-native model

AOS 10 throws out the on-prem brain. Aruba Central becomes the single management plane. There is no Mobility Conductor and no Mobility Controller. Instead you have two device roles: APs and gateways. Gateways form clusters purely for data-plane termination and redundancy — they no longer hold the master config.

The headline win is Zero-Touch Provisioning. Plug an AP into PoE, it reaches Central over TCP 443, and Central streams down its config. No console cable, no maintenance window.

P
Priya at HCL shipped 60 pre-provisioned APs to a new branch. A non-technical office admin just plugged them into the switch. Each AP found Central, downloaded its AP-group config, and joined the live SSID within minutes. Priya never visited the site. That is the AOS 10 pitch in one sentence.

▶ Watch an AP onboard into Aruba Central

Click Play. Each stage lights up as a brand-new AP boots and joins the AOS 10 network with zero touch.

① POWER ON AP gets PoE on switchport, pulls IP 10.20.30.41 via DHCP on the mgmt VLAN
② FIND CENTRAL AP resolves the activation service & opens TCP 443 to device.arubanetworks.com
③ CLAIM CHECK Central checks the AP serial against your inventory + assigns it to its pre-provisioned AP group
④ PULL CONFIG Central streams the running config (SSIDs, VLANs, forwarding mode, RF profile) down to the AP
⑤ PICK FORWARDING Config says Tunnel mode → AP builds a tunnel to gateway cluster VIP 10.20.40.10
⑥ LIVE SSID "Corp-WiFi" broadcasts. Clients associate; traffic tunnels to the gateway. Status in Central = Up.
Press Play to step through zero-touch onboarding. Each press of Next advances one stage.
The #1 AOS 10 gateway trap

Symptom you see: a brand-new gateway shows up in Central as "discovered" but never goes "configured" — it just sits there grey. Cause: a gateway will not receive its configuration from Central until a Switch IP is assigned. The gateway needs an IP and one of those IPs set as the Switch IP, plus TCP 443 reachability to Central. No Switch IP = no config. Engineers lose hours here because the device looks "online" but is brain-empty.

Quick check · Q2 of 10

An AOS 10 gateway is online and pingable, appears in Central as "discovered", but never pulls its configuration. Which is the most likely cause?

Correct: b. A gateway must have an IP and a designated Switch IP before Central will deliver configuration. Option a is an AOS 8 concept (no Conductor exists in AOS 10). AOS 10 uses TCP 443, not SNMP, for management.

Pause & predict: If your internet link to Aruba Central goes down for an hour, do existing Wi-Fi clients on an AOS 10 tunnel-mode network drop?

Generally no. Central is the management plane, not the data path. APs and the gateway cluster keep forwarding with their last-known config — clients stay connected. What you lose is management: no new config, no live dashboards, and new zero-touch onboards will stall until Central is reachable again. Survival of live traffic is by design; that's why losing Central is annoying, not catastrophic.

③ Forwarding modes — the choice that defines your data plane

This is the single most tested AOS 10 design topic. Once Central is your brain, you still must decide where client packets go. AOS 10 gives three answers per SSID/VLAN.

🌉
Bridge mode
tap

AP bridges client traffic straight out its uplink onto the assigned VLAN. No gateway needed. No NAT/DHCP on the AP. Validated up to 500 APs / 5,000 clients.

🛣
Tunnel mode
tap

AP tunnels all client traffic to a gateway cluster. Centralised policy, roaming across L3, consistent firewall — at the cost of a gateway in the path.

🔀
Mixed mode
tap

The AP decides per-VLAN: bridge the corporate VLAN locally, tunnel the guest VLAN to the gateway. Best of both — but more design care.

♻️
Cluster redundancy
tap

Tunnel/Mixed need a gateway cluster. Size it N+1 (one spare) or 2N (full mirror). Hitless failover keeps clients up when a node dies.

▶ Tunnel mode — follow a client packet to the gateway

A laptop on the Corp SSID in Tunnel mode. Watch where the packet actually terminates.

① CLIENT Laptop 10.20.50.77 sends to 172.16.8.20 (internal app server)
② AP AP does NOT bridge locally — it wraps the frame and tunnels it to the cluster
③ CLUSTER VIP Tunnel lands on the gateway cluster virtual IP 10.20.40.10 (active node)
④ POLICY Gateway applies role/firewall policy + places the client on its real VLAN
⑤ FORWARD De-tunnelled packet 10.20.50.77172.16.8.20 exits to the core
⑥ FAILOVER If the active node dies, the standby owns the VIP — hitless, client never notices
In Bridge mode, stages 2–4 disappear — the AP would drop the frame straight onto the VLAN. Tunnel mode trades a hop for centralised control.
Forwarding mode decision and comparison A decision tree asking whether centralised policy or a gateway is needed, branching into Bridge, Tunnel, and Mixed modes, with a comparison strip of their key traits. Which AOS 10 Forwarding Mode? Need centralised policy / L3 roam? NO YES PER-VLAN 🌉 Bridge no gateway · local VLAN exit 🛣 Tunnel all traffic → gateway cluster 🔀 Mixed bridge some VLANs, tunnel others TRAIT BRIDGE TUNNEL MIXED Gateway in pathNoYesPer-VLAN Centralised policyLimitedFullSelective Scale ceiling500 AP / 5k clCluster-boundHybrid
Figure 3 — Decision map: no central policy needed → Bridge; full central control → Tunnel; want both selectively → Mixed.
How architects actually choose

Small/branch site, simple VLANs, trust the LAN? Bridge mode — fewer moving parts, no gateway to license. Large campus, strict role-based firewall, L3 roaming, guest isolation? Tunnel mode — the gateway becomes your policy enforcement point. One site with both needs? Mixed — bridge the trusted corporate VLAN locally for performance, tunnel the guest VLAN to the gateway for isolation. Remember Bridge mode APs don't do NAT or DHCP — your switching/routing layer must already provide those.

Quick check · Q3 of 10

A 90-AP branch wants the simplest AOS 10 design: trusted LAN, existing DHCP/routing on the core switch, no need for centralised firewall on Wi-Fi. Which forwarding mode fits best?

Correct: a. With a trusted LAN, existing DHCP/routing, and no central-firewall requirement, Bridge mode is the cleanest fit — and 90 APs is well within the 500-AP / 5,000-client bridge validation ceiling. No gateway to buy, license or maintain. Tunnel mode (b) adds a gateway you don't need here.

④ Cloud vs Controller — the decision & the traps

So which architecture do you actually deploy? AOS 10 is HPE Aruba's strategic direction, but AOS 8 is far from dead — and some hardware (7000/7200 controllers) only ever runs AOS 8. The honest answer is "it depends on hardware, connectivity and compliance".

Cloud versus controller decision flow with deployment factors A flow starting from hardware and connectivity questions, branching toward AOS 8 controller-based or AOS 10 cloud-based with Aruba Central deployment options of SaaS, virtual private cloud, and on-premises. Cloud (AOS 10) vs Controller (AOS 8) — How to Decide Start: new design Stuck on 7000/7200 controllers only? YES NO AOS 8 — Controller no AOS 10 path on this HW Can't use public cloud (gov / air-gap)? AOS 10 — Aruba Central cloud brain, gateway clusters Aruba Central comes three ways: SaaS HPE-hosted public cloud Virtual Private Cloud dedicated instance On-Premises FIPS build for gov / air-gap
Figure 4 — Hardware first, connectivity second. If you can run AOS 10, Central still offers SaaS, VPC, or On-Premises (FIPS) so even air-gapped sites qualify.
A
Amit at a defence contractor assumed AOS 10 was "cloud only" and therefore banned by his air-gap policy. Wrong. Central On-Premises ships a FIPS 140-2 validated build that scales from a single node (up to ~2,000 devices) to an 11-node cluster (~40,000 devices). He got the AOS 10 model without sending one byte to the public internet.

Pause & predict: You're migrating an AOS 8 controller-managed site to AOS 10. How much of your existing AOS 8 config can you "lift and shift" straight into Central?

Almost none — plan to recreate it. Moving controller-managed APs to AOS 10 is a major architectural change: the entire AOS 8 configuration must be recreated in Central as UI groups / templates. There's no magic importer that copies a Conductor hierarchy into Central. Extra gotchas: native/uplink VLAN behaviour differs from Instant AOS 8, and your gateway should run AOS 8.10.0.12, 8.12.0.1 or later for clean AP conversion. Budget design time, not just a button-click.

The security gotcha you cannot skip — PAPI / UDP 8211

Architecture isn't just boxes — it's attack surface. Aruba's internal management protocol PAPI rides on UDP 8211, and it has been a repeat target.

Critical: unauthenticated RCE on PAPI

Symptom (if exploited): an attacker who can reach UDP 8211 runs code on your AP or controller with no login. In 2024 HPE Aruba disclosed multiple CVSS 9.8 unauthenticated RCE flaws — including CVE-2024-26305 and the November batch CVE-2024-42509 / CVE-2024-47460 — all reachable via crafted packets to PAPI UDP 8211. Fix: patch to a fixed ArubaOS build; never expose UDP 8211 to untrusted networks; and on AOS 8.x enable Enhanced PAPI Security with a non-default key as a workaround. This is a top-of-list item in any Aruba security review.

AOS 8.x workaround — Enhanced PAPI Security with a non-default key 
(MC) [mynode] (config) #firewall enable-per-packet-logging
(MC) [mynode] (config) #control-plane-security
(MC) [mynode] (cps) #cluster-member-custom-cert
(MC) [mynode] (config) #papi enhanced-security
(MC) [mynode] (config) #papi enhanced-security-key <non-default-key>
Expected output 
Enhanced PAPI security: Enabled
PAPI key source: custom (non-default)
Warning: all cluster members must share the same key
         before commit, or control-plane sessions will drop.
Quick check · Q4 of 10

Your security team flags that Aruba's PAPI process has had multiple unauthenticated RCE CVEs. Which port and immediate hardening step matter most?

Correct: c. The 2024 critical ArubaOS RCE chain (CVE-2024-26305, -42509, -47460) targets PAPI on UDP 8211. Patch first; restrict UDP 8211 to trusted segments; on AOS 8.x enable Enhanced PAPI Security with a non-default key. Disabling 443 (a) would break Central management, not fix PAPI.

The certification map — where this lesson lands

This architecture knowledge is foundational across the HPE Aruba Networking track: from ACA (associate), up through ACP – Campus Access (HPE7-A01) which explicitly tests gateway clusters, tunnel/mixed mode, MPSK and Central resiliency, to the expert ACX – Campus Access Mobility (HPE7-A07). The wired-switching cousin is ACSP (HPE6-A73) on AOS-CX. Nail AOS 8 vs 10 and you've cleared the highest-frequency exam topic in the whole track.

🤖 Ask the AI Tutor

Tap any question — instant context-aware answer. No login, no waiting.

Pre-curated answers from HPE Aruba TechDocs + Airheads community. For a live migration question, paste your inventory + forwarding-mode plan into chat.techclick.in.

📝 Wrap-up — six more

You've already answered 4 inline. Six left. 70% (7 of 10) total marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In AOS 10, what is the role of Aruba Central?

Correct: a. Central is the management plane: it onboards, configures, upgrades, and monitors APs and gateways. The data plane is handled by gateways (Tunnel/Mixed) or the AP itself (Bridge) — not by Central.
Q6 · Apply

A campus needs role-based firewall on every Wi-Fi client and seamless roaming across Layer 3 boundaries. Which AOS 10 design delivers this?

Correct: b. Tunnel mode sends all client traffic to the gateway cluster, which becomes the central policy/firewall point and lets the roaming domain span L3 boundaries. Bridge mode keeps traffic local and can't centrally enforce per-client firewall across the campus.
Q7 · Apply

You're sizing a gateway cluster for a Tunnel-mode site that must survive one gateway failure with full capacity preserved. Which redundancy design do you choose?

Correct: c. "Full capacity preserved after a failure" means 2N — twice as many nodes so the survivors carry the entire load. N+1 (b) survives a failure but the remaining nodes run hotter (reduced headroom). A single node (a) has no redundancy at all.
Q8 · Analyze

After migrating an AOS 8 controller-managed site to AOS 10, the team is surprised they had to rebuild SSIDs, roles and VLANs from scratch in Central. Why couldn't they import the AOS 8 config directly?

Correct: a. Controller-managed → AOS 10 is a major architectural change. There's no lift-and-shift of a Conductor hierarchy into Central; you recreate the config. Watch the native/uplink VLAN behaviour difference and ensure the gateway runs AOS 8.10.0.12 / 8.12.0.1+ for clean AP conversion.
Q9 · Analyze

A bank's compliance team forbids sending management data to any public cloud, yet the architect wants the AOS 10 operating model. What's the correct resolution?

Correct: d. Central On-Premises (with a FIPS 140-2 validated build for government) delivers the AOS 10 management model without public-cloud exposure, scaling from a single node up to an 11-node cluster (~40,000 devices). "AOS 10 = public cloud only" is the misconception this question targets.
Q10 · Evaluate

An auditor proposes "to cut cost, expose the gateways' management directly to the internet and skip patching since they're behind NAT". Evaluate this plan against Aruba's known risks.

Correct: d. The plan ignores the 2024 critical ArubaOS RCE chain on PAPI/UDP 8211 (CVE-2024-26305, -42509, -47460). NAT does not stop unauthenticated packets that reach 8211, and "skip patching" is indefensible for CVSS 9.8 flaws. Correct posture: patch promptly, restrict UDP 8211 to trusted segments, enable Enhanced PAPI Security on AOS 8.x.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the section that tripped you up and tap "Try again".

✍️ Explain it back (self-explanation)

In your own words, write the one-sentence difference between AOS 8 and AOS 10. Writing it down beats re-reading for retention.

👥 Teach a friend

Imagine a junior asks: "If AOS 10 deleted the controller, who moves the packets now?" Type the 2-line answer you'd give them. If you can teach it, you own it.

🔁 Lock it in — spaced recall

Want a nudge to recall this in 3 days (the sweet spot for memory)? Drop your email and we'll send one 3-question recall quiz. No spam, unsubscribe anytime.

✓ Locked in — we'll nudge your recall in 3 days.

📖 Glossary

Mobility Conductor
The on-prem management brain in AOS 8 (formerly Mobility Master) — single source of config truth, pushed top-down.
Mobility Controller
AOS 8 appliance (7000/7200 series) that terminates AP tunnels and enforces role/firewall policy.
Aruba Central
HPE Aruba's cloud-native management platform for AOS 10 (and AOS 8) — onboarding, config, upgrades, monitoring, AI insights.
Gateway / Gateway Cluster
AOS 10 data-plane appliances (9200/9240/9100) that terminate tunnels; multiple gateways act as one cluster for hitless HA.
Forwarding mode
How an AP handles client traffic — Bridge (local VLAN), Tunnel (to gateway), or Mixed (per-VLAN).
Zero-Touch Provisioning
Plug a device in, it reaches Central over TCP 443 and downloads its full config automatically.
PAPI
Aruba's internal control protocol over UDP 8211 — repeated CVE target; restrict and harden it.
Switch IP
The IP an AOS 10 gateway must have designated before Central will deliver configuration.

📚 Sources

  1. HPE Aruba Networking TechDocs — Migrating to AOS 10 & Validated Solution Guide: AOS 8 Campus to AOS 10. arubanetworking.hpe.com/techdocs
  2. HPE Aruba Networking TechDocs — AOS 10.x Forwarding modes of operation (Bridge / Tunnel / Mixed) & Gateway deployments / Gateway cluster planning.
  3. HPE Aruba Networking — Aruba Central Data Sheet (SaaS / VPC / On-Premises, FIPS); TechTarget — Aruba Central scale tiers & analytics (2025).
  4. Airheads Community — "AOS 8 vs AS 10 for on-prem deployment"; Chad Teal — Troubleshooting AOS10 Gateway Connectivity & Config Sync (Switch IP).
  5. HPE Aruba Networking Security Advisories — CVE-2024-26305 / CVE-2024-42509 / CVE-2024-47460 (PAPI UDP 8211, CVSS 9.8 RCE); The Hacker News / Arctic Wolf coverage (2024).
  6. HPE Certification & Learning — ACP – Campus Access (HPE7-A01), ACX – Campus Access Mobility (HPE7-A07), ACSP (HPE6-A73) blueprints.

What's next?

Now that you own the architecture, we zoom into the access points themselves — how ArubaOS runs on Campus, Remote and Instant AP modes, what each mode means for branch and work-from-home deployments, and how an AP decides its personality at boot.

Next · Aruba Access Points & ArubaOS — Campus, Remote & Instant AP Modes → ← All lessons