MultiZone

The MultiZone feature allows organizations to have multiple and separate secure networks while using the same access point. It also allows AP to terminate to multiple managed devices that reside in different zones. A zone is a collection of managed devices under a single administration domain. The zone can have a single managed device or a cluster setup.

Traditionally, one AP was managed by a single zone where the configuration was generated on a conductor controller and synchronized across all other local controllers. Starting from AOS-8.0.0.0, MultiZone AP is supported and an AP can be managed by multiple zones. Different zones can have different configurations. The managed devices in different zones do not communicate with one another.

Initially, when the AP is booted up, the first zone it contacts is called the Primary Zone. When the AP boots up on a managed device, and the primary zone managed device configures the AP including the BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. , radio channel, radio power, and other features. The primary zone can configure MultiZone profiles to enable the MultiZone feature.

Data zone is the secondary zone that an AP connects to after receiving the MultiZone configuration from the primary zone. If there are MultiZone profiles configured and associated in the AP group or AP name profile of the primary zone, then the AP enters MultiZone state and starts connecting with the specified data zones. Only one MultiZone profile per ap-group or ap-name can be attached. The data zone managed device must be configured with the same AP group or AP name profile as the primary zone. When the AP connects to the data zone managed devices, there is a flag in the HELLO message indicating that the AP is connecting to the zone as a data zone. The data zone managed device then can configure additional BSSs.

Data zone now supports redundancy to avoid a long time service outage and the user can configure a backup controller or cluster for a datazone configuration. The following topologies are supported:

The AP virtually connects to each data zone independently. Each data zone’s network change or failure does not affect the management of an AP from other data zones. The data zone can configure the AP separately and the AP will apply each configuration. However, if the primary zone goes down, then all the data zones will be affected including the traffic on the data zone.

For example, the first zone has SSID-1, SSID-2 configured and has stand-alone setup, while the second zone has SSID-3, SSID-4 configured and has cluster setup. Then, the MultiZone AP receives both configurations and provides service for all the four SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. with no communication between the managed devices.

The MultiZone feature allows the client traffic of different ESS Extended Service Set. An ESS is a set of one or more interconnected BSSs that form a single sub network. to go to different managed devices into various zones without cross-contamination. The client traffic of the specific ESS Extended Service Set. An ESS is a set of one or more interconnected BSSs that form a single sub network. is encrypted and tunneled directly from AP to the managed devices using the tunnel mode. All devices in the path including the primary managed device managing the AP are automatically secured. Client wireless frames are encrypted or decrypted for the corresponding SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. data zone managed device in the secure zone.

All the zones can have a maximum of 12 managed devices and 16 VAPs per radio and a maximum of 5 zones are supported including the primary zone.

Starting from AOS-8.3.0.0, MultiZone supports Decrypt Tunnel forwarding mode on the data zone Virtual APs.

Following sections describe the functional flow, licenses, and features of MultiZone:

Functional Flow of a MultiZone AP

The functional flow of a MultiZone AP is as follows:

Important Points

The data zone AP ignores the configuration that can affect other zone's BSSs like radio configurations.

Licenses for MultiZone

Starting from AOS-8.2.0.0, data zone managed device will not consume any license and only the primary zone managed device will consume licenses, including the WebCC licenses. Prior to AOS-8.2.0.0, APs connected to data zone managed device consumed PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license, although the data zone managed device still requires PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. licenses.

Also, once the AP comes up, the managed device checks if the RFP license was acquired by the AP on the primary zone and Data zone managed device. If not, MultiZone will be disabled on that AP.

The show ap license-usage will not count licenses on the data zone managed device for APs that connect to it as a data zone AP.

Hybrid CPsec, Mesh AP, and Mobility Controller Virtual Appliance Support

Starting from AOS-8.2.0.0, hybrid CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. is supported. That is, CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. can be enabled or disabled independently for each zone.

Starting from AOS-8.2.0.0, MultiZone is supported for Mobility Controller Virtual Appliance with CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. enabled. Therefore, a combination of hardware controllers and Mobility Controller Virtual Appliance are supported.

Starting from AOS-8.2.0.0, Mesh is supported on MultiZone only for IPv4.

AP LACP Support for MultiZone

Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP can no longer be used to stripe the traffic as the AP has GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels to more than one managed device. Therefore, starting from AOS-8.2.0.0, LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. is used to stripe traffic on a per UAC basis. That is, the clients or users on the same AP are steered to different UACs and traffic is striped to the UACs.

When MultiZone is enabled, the Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP will not be sent to AP. The striping of traffic for the Ethernet Ethernet is a network protocol for data transmission over LAN. interfaces is according to the UAC node.

Limitations

Primary zone managed device is not using striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. when the data zone managed device is down.

Client Match Support for MultiZone

Starting from AOS-8.3.0.0, the ClientMatch features like sticky-client and band Band refers to a specified range of frequencies of electromagnetic radiation. steering is supported in a MultiZone deployment for Campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. ClientMatch in each zone functions independently by controlling clients that are associated to the Virtual APs owned by that zone.

Key Considerations

RSDB and Dual 5G Bands Support for MultiZone

Starting from AOS-8.3.0.0, MultiZone supports RSDB (Real simultaneous dual band Band refers to a specified range of frequencies of electromagnetic radiation.) on AP-203R, AP-203RP and AP-203H access points. Also, MultiZone supports Dual 5 GHz Gigahertz. on AP-344 and AP-345 access points.

This feature helps the Data zone managed device to get the current RSDB and dual 5 GHz Gigahertz. mode information of the AP and adjust the radio and Virtual AP configurations based on the information.

This feature also ensures that the AP-203R, AP-203RP and AP-203H work in a MultiZone deployment with different RSDB modes and the AP-344 and AP-345 work in MultiZone with different Dual 5 GHz Gigahertz. modes.

On a Data zone managed device, execute the following command to display the RSDB and Dual 5 GHz Gigahertz. mode:

(host) [mynode] #show ap active

 

Active AP Table

---------------

Name Group IP Address AP Type Flags Uptime Outer IP Radio 0 Band Ch/EIRP/MaxEIRP/Clients Radio 1 Band Ch/EIRP/MaxEIRP/Clients

---- ----- ---------- ------- ----- ------ -------- ------------------------------------ ------------------------------------

AP203H-veriwave  rsdb       10.16.140.196  203H     A2aVf  9m:9s   N/A    AP:2.4GHz-HT:11/6.5/23.5/0

AP203H-veriwave  rsdb       10.16.140.196  203H     A2aUf  9m:34s  N/A    AP:5GHz-VHT:161E/6.5/23.5/0

AP203H-veriwave  rsdb       10.16.140.196  203H     A2aTf  11m:7s  N/A    snipAP:5GHz-VHT:161E/17.0/19.5/0   AP:2.4GHz-HT:11/12.0/20.5/0

 

U = Flex Radio Mode is 5GHz; V = Flex Radio Mode is 2.4GHz; T = Flex Radio Mode is 2.4GHz+5GHz