Aruba WLAN Controller IP Flow Export

By adminnetflow

On an Aruba Networks controller, IP flow export (IPFIX/NetFlow) is a telemetry feature that sends summarized traffic records to an external collector.

What it does (core function)

It observes client sessions on the controller and exports metadata about those flows, not the packets themselves.

A flow = a conversation defined by:

  • Source IP / Destination IP
  • Source / Destination port
  • Protocol (TCP/UDP)
  • Additional context (user, role, AP, SSID, etc.)
What gets exported

Each exported record typically includes:

  • Who: client IP, MAC, username (if available)
  • Where: AP name, SSID, VLAN, role
  • What: destination IP, ports, protocol
  • How much: bytes, packets
  • When: start time, end time, duration

This is sent via IPFIX (UDP) to a collector such as NFSen or Scrutinizer.

What it is NOT
  • Not packet capture (no payload, no DPI)
  • Not real-time mirroring (not like SPAN)
  • Not firewall enforcement
  • Not full IDS/IPS

It’s metadata only

Why is it used
1. Traffic visibility
  • See where clients are going (e.g., internet destinations, internal apps)
2. Troubleshooting
  • Validate:
    • Is traffic actually flowing?
    • Volume of traffic per client
    • Session duration anomalies
3. Security monitoring
  • Detect:
    • Unusual destinations
    • Data exfiltration patterns
    • Beaconing behavior
4. Capacity/reporting
  • Top talkers
  • Bandwidth trends
  • Application usage (limited vs DPI tools)
Aruba-specific behavior
  • Built from the controller’s session table
  • Exports UNIFLOW by default (one direction per record)
  • Tied to user roles/sessions
  • If a session doesn’t exist → no flow exported
Configuration – NFSEN
  1. Make a copy of the nfsen.conf file

cd /var/nfsen/etc

ls -lthr

/var/nfsen/etc$ sudo cp nfsen.conf nfsen.conf-WORKING-04242024.conf

ls -lthr

2. Edit the nfsen.conf file

sudo nano nfsen.conf
%sources = (
‘NORTHWLC001’ => { ‘port’ => ‘9915’, ‘col’ => ‘#ffce30′,’IP’ => ‘10.0.17.7’ },
‘EASTWLC001’ => { ‘port’ => ‘9914’, ‘col’ => ‘#ffce30′,’IP’ => ‘10.0.17.6’ },
‘DMZANCHOR7210’ => { ‘port’ => ‘9916’, ‘col’ => ‘#ffce30′,’IP’ => ‘10.0.66.20’ },
);

3. Restart the nfsen.conf service

/var/nfsen/bin$ sudo ./nfsen reconfig

Subroutine AbuseWhois::sockaddr_in6 redefined at /var/nfsen/libexec/AbuseWhois.pm line 44.
Add configured sources: NORTHWLC001 EASTWLC001 DMZANCHOR7210
Continue? [y/n] y

Add source(s): PSN2 PSN1:
Add source 'NORTHWLC001' Start running collector on port '9915' (NORTHWLC001)[157778].
Add source 'EASTWLC001' Start running collector on port '9914' (EASTWLC001)[157799].
Add source 'DMZANCHOR7210' Start running collector on port '9916' (DMZANCHOR7210)[157780].

Aruba WLC Config

[00:0b:86:b8:94:a8] (config) #
ip-flow-export-profile
    enable
    upload-all-interval 3
    collector-ip 10.0.0.22
    port 9915
    flow-cache-size 5000
    wireless-export
!
[20:4c:03:39:86:34] (config) #
ip-flow-export-profile
    enable
    upload-all-interval 3
    collector-ip 10.0.0.22
    port 9915
    flow-cache-size 5000
    wireless-export
!
[00:1a:1e:00:ee:08] (config) #
ip-flow-export-profile
   enable
   upload-all-interval 5
   collector-ip 10.0.0.22
   port 9916
   flow-cache-size 5000
   wireless-export
!
Verify the flows on a device with users
Verify that NFSEN is receiving flows using tcpdump
Verify that NFSEN is receiving flows via the GUI

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.