MultiZone
The MultiZone feature allows organizations to have multiple and separate secure networks while using the same access point. It also allows AP to terminate to multiple managed devices that reside in different zones. A zone is a collection of managed devices under a single administration domain. The zone can have a single managed device or a cluster setup.
Traditionally, one AP was managed by a single zone where the configuration was generated on a conductor controller and synchronized across all other local controllers. Starting from AOS-8.0.0.0, MultiZone AP is supported and an AP can be managed by multiple zones. Different zones can have different configurations. The managed devices in different zones do not communicate with one another.
Initially, when the AP is booted up, the first zone it contacts is called the Primary Zone. When the AP boots up on a managed device, and the primary zone managed device configures the AP including the BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. , radio channel, radio power, and other features. The primary zone can configure MultiZone profiles to enable the MultiZone feature.
Data zone is the secondary zone that an AP connects to after receiving the MultiZone configuration from the primary zone. If there are MultiZone profiles configured and associated in the AP group or AP name profile of the primary zone, then the AP enters MultiZone state and starts connecting with the specified data zones. Only one MultiZone profile per ap-group or ap-name can be attached. The data zone managed device must be configured with the same AP group or AP name profile as the primary zone. When the AP connects to the data zone managed devices, there is a flag in the HELLO message indicating that the AP is connecting to the zone as a data zone. The data zone managed device then can configure additional BSSs.
Data zone now supports redundancy to avoid a long time service outage and the user can configure a backup controller or cluster for a datazone configuration. The following topologies are supported:
-
Data zone controllers are all standalone controllers.
-
The LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. in Data zone is a standalone controller, and the Backup LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. is a cluster.
-
The LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. in Data zone is a cluster, and Backup LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. in Data zone is standalone.
-
Both the LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. and Backup LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. in a Data zone are clusters.
The AP virtually connects to each data zone independently. Each data zone’s network change or failure does not affect the management of an AP from other data zones. The data zone can configure the AP separately and the AP will apply each configuration. However, if the primary zone goes down, then all the data zones will be affected including the traffic on the data zone.
For example, the first zone has SSID-1, SSID-2 configured and has stand-alone setup, while the second zone has SSID-3, SSID-4 configured and has cluster setup. Then, the MultiZone AP receives both configurations and provides service for all the four SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. with no communication between the managed devices.
The MultiZone feature allows the client traffic of different ESS Extended Service Set. An ESS is a set of one or more interconnected BSSs that form a single sub network. to go to different managed devices into various zones without cross-contamination. The client traffic of the specific ESS Extended Service Set. An ESS is a set of one or more interconnected BSSs that form a single sub network. is encrypted and tunneled directly from AP to the managed devices using the tunnel mode. All devices in the path including the primary managed device managing the AP are automatically secured. Client wireless frames are encrypted or decrypted for the corresponding SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. data zone managed device in the secure zone.
All the zones can have a maximum of 12 managed devices and 16 VAPs per radio and a maximum of 5 zones are supported including the primary zone.
Starting from AOS-8.3.0.0, MultiZone supports Decrypt Tunnel forwarding mode on the data zone Virtual APs.
The 630 Series access points (AP-635) support MultiZone on the 2.4 GHz Gigahertz. and 5 GHz Gigahertz. radio bands Band refers to a specified range of frequencies of electromagnetic radiation. only, and not on the 6 GHz Gigahertz. radio bands Band refers to a specified range of frequencies of electromagnetic radiation..
Following sections describe the functional flow, licenses, and features of MultiZone:
Functional Flow of a MultiZone AP
The functional flow of a MultiZone AP is as follows:
- AP boots up and terminates on primary zone.
- Receives configuration from primary zone and apply.
- Simultaneously, it connects to each IP address of data zone configured in the MultiZone profile.
- Receives VAP configuration from data zone and apply.
- If common configuration like radio or channel is changed on primary zone, data zone needs to rebootstrap to update.
- If the CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. is enabled, each data zone managed device should have the AP appropriately allowlisted.
Important Points
- CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. is not mandatory for MultiZone.
- If High Availability is enabled, MultiZone cannot be configured.
- Tunnel mode and Decrypt Tunnel mode are the supported Forward-Modes.
- The primary zone and data zone managed devices do not require to be on the same layer 2 subnet Subnet is the logical division of an IP network., but, should be layer 3 reachable.
- For the WebCC feature to work seamlessly, the feature should be enabled in each data zone managed device.
The data zone AP ignores the configuration that can affect other zone's BSSs like radio configurations.
Licenses for MultiZone
Starting from AOS-8.2.0.0, data zone managed device will not consume any license and only the primary zone managed device will consume licenses, including the WebCC licenses. Prior to AOS-8.2.0.0, APs connected to data zone managed device consumed PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license, although the data zone managed device still requires PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. licenses.
Also, once the AP comes up, the managed device checks if the RFP license was acquired by the AP on the primary zone and Data zone managed device. If not, MultiZone will be disabled on that AP.
The show ap license-usage will not count licenses on the data zone managed device for APs that connect to it as a data zone AP.
Hybrid CPsec, Mesh AP, and Mobility Controller Virtual Appliance Support
Starting from AOS-8.2.0.0, hybrid CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. is supported. That is, CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. can be enabled or disabled independently for each zone.
Starting from AOS-8.2.0.0, MultiZone is supported for Mobility Controller Virtual Appliance with CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. enabled. Therefore, a combination of hardware controllers and Mobility Controller Virtual Appliance are supported.
Starting from AOS-8.2.0.0, Mesh is supported on MultiZone only for IPv4.
AP LACP Support for MultiZone
Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP can no longer be used to stripe the traffic as the AP has GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels to more than one managed device. Therefore, starting from AOS-8.2.0.0, LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. is used to stripe traffic on a per UAC basis. That is, the clients or users on the same AP are steered to different UACs and traffic is striped to the UACs.
When MultiZone is enabled, the Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP will not be sent to AP. The striping of traffic for the Ethernet Ethernet is a network protocol for data transmission over LAN. interfaces is according to the UAC node.
Limitations
Primary zone managed device is not using striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. when the data zone managed device is down.
Client Match Support for MultiZone
Starting from AOS-8.3.0.0, the ClientMatch features like sticky-client and band Band refers to a specified range of frequencies of electromagnetic radiation. steering is supported in a MultiZone deployment for Campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. ClientMatch in each zone functions independently by controlling clients that are associated to the Virtual APs owned by that zone.
Key Considerations
- ESSIDs Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. must be unique across zones. The same VAP ESSID Extended Service Set Identifier. ESSID refers to the ID used for identifying an extended service set. should not be configured in more than one zone, as this can cause issues in client steering if the zones are co-located.
- ClientMatch configuration in ARM Adaptive Radio Management. ARM dynamically monitors and adjusts the network to ensure that all users are allowed ready access. It enables full utilization of the available spectrum to support maximum number of users by intelligently choosing the best RF channel and transmit power for APs in their current RF environment. profiles should be set to the default values to ensure that the ClientMatch configuration is common across primary zone and data zones.
- ClientMatch is enabled by default, which is the recommended setting, unless all APs in the MultiZone deployment have the same primary zone.
- ClientMatch spectrum load balancing does not work on radios that are hosting Virtual APs from more than one zone.
RSDB and Dual 5G Bands Support for MultiZone
Starting from AOS-8.3.0.0, MultiZone supports RSDB (Real simultaneous dual band Band refers to a specified range of frequencies of electromagnetic radiation.) on AP-203R, AP-203RP and AP-203H access points. Also, MultiZone supports Dual 5 GHz Gigahertz. on AP-344 and AP-345 access points.
This feature helps the Data zone managed device to get the current RSDB and dual 5 GHz Gigahertz. mode information of the AP and adjust the radio and Virtual AP configurations based on the information.
This feature also ensures that the AP-203R, AP-203RP and AP-203H work in a MultiZone deployment with different RSDB modes and the AP-344 and AP-345 work in MultiZone with different Dual 5 GHz Gigahertz. modes.
On a Data zone managed device, execute the following command to display the RSDB and Dual 5 GHz Gigahertz. mode:
(host) [mynode] #show ap active
Active AP Table
---------------
Name Group IP Address AP Type Flags Uptime Outer IP Radio 0 Band Ch/EIRP/MaxEIRP/Clients Radio 1 Band Ch/EIRP/MaxEIRP/Clients
---- ----- ---------- ------- ----- ------ -------- ------------------------------------ ------------------------------------
AP203H-veriwave rsdb 10.16.140.196 203H A2aVf 9m:9s N/A AP:2.4GHz-HT:11/6.5/23.5/0
AP203H-veriwave rsdb 10.16.140.196 203H A2aUf 9m:34s N/A AP:5GHz-VHT:161E/6.5/23.5/0
AP203H-veriwave rsdb 10.16.140.196 203H A2aTf 11m:7s N/A snipAP:5GHz-VHT:161E/17.0/19.5/0 AP:2.4GHz-HT:11/12.0/20.5/0
U = Flex Radio Mode is 5GHz; V = Flex Radio Mode is 2.4GHz; T = Flex Radio Mode is 2.4GHz+5GHz