MultiZone

The MultiZone feature allows organizations to have multiple and separate secure networks while using the same AP. It also allows APs to terminate to multiple managed devices that reside in different zones. A zone is a collection of managed devices under a single administration domain. The zone can have a single managed device or a cluster setup.

Traditionally, one AP was managed by a single zone where the configuration was generated on a conductor controller and synchronized across all other local controllers. ArubaOS now supports MultiZone AP that manages an AP based on multiple zones. Different zones can have different configurations and the managed devices in different zones do not communicate with one another.

This chapter includes the following topics:

Primary Zone and Data Zone

Initially, when the AP is booted up, the first zone it contacts is called the primary zone. When the AP boots up on a managed device, the primary zone managed device configures the AP including the BSS Basic Service Set. A BSS is a set of interconnected stations that can communicate with each other. BSS can be an independent BSS or infrastructure BSS. An independent BSS is an ad hoc network that does not include APs, whereas the infrastructure BSS consists of an AP and all its associated clients. , radio channel, radio power, and other features. The primary zone can configure MultiZone profiles to enable the MultiZone feature.

Data zone is the secondary zone that an AP connects to after receiving the MultiZone configuration from the primary zone. If there are MultiZone profiles configured and associated in the AP group or AP name profile of the primary zone, then the AP enters MultiZone state and starts connecting with the specified data zones. Only one MultiZone profile per ap-group or ap-name can be attached. The data zone managed device must be configured with the same AP group or AP name profile as the primary zone. When the AP connects to the data zone managed devices, there is a flag in the HELLO message indicating that the AP is connecting to the zone as a data zone. The data zone managed device then can configure additional BSSs.

Data zone now supports redundancy to avoid a long time service outage and the user can configure a backup controller or cluster for a datazone configuration. The following topologies are supported:

The AP virtually connects to each data zone independently. Each data zone’s network change or failure does not affect the management of an AP from other data zones. The data zone can configure the AP separately and the AP will apply each configuration. However, if the primary zone goes down, then all the data zones will be affected including the traffic on the data zone.

For example, the first zone has SSID-1, SSID-2 configured and has stand-alone setup, while the second zone has SSID-3, SSID-4 configured and has cluster setup. Then, the MultiZone AP receives both configurations and provides service for all the four SSIDs Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. with no communication between the managed devices.

The MultiZone feature allows the client traffic of different ESS Extended Service Set. An ESS is a set of one or more interconnected BSSs that form a single sub network. to go to different managed devices into various zones without cross-contamination. The client traffic of the specific ESS Extended Service Set. An ESS is a set of one or more interconnected BSSs that form a single sub network. is encrypted and tunneled directly from AP to the managed devices using the tunnel mode. All devices in the path including the primary managed device managing the AP are automatically secured. Client wireless frames are encrypted or decrypted for the corresponding SSID Service Set Identifier. SSID is a name given to a WLAN and is used by the client to access a WLAN network. data zone managed device in the secure zone.

Following sections describe the functional flow, licenses, and features of MultiZone.

Functional Flow of a MultiZone AP

The functional flow of a MultiZone AP is as follows:

Important Points

The data zone AP ignores the configuration that can affect other zone's BSSs like radio configurations.

Licenses for MultiZone

The data zone managed device does not consume any license and only the primary zone managed device consumes licenses, including the WebCC licenses. Prior to ArubaOS 8.2.0.0, APs connected to data zone managed device consumed PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. license, although the data zone managed device still required PEFNG Policy Enforcement Firewall. PEF also known as PEFNG provides context-based controls to enforce application-layer security and prioritization. The customers using Aruba mobility controllers can avail PEF features and services by obtaining a PEF license. PEF for VPN users—Customers with PEF for VPN license can apply firewall policies to the user traffic routed to a controller through a VPN tunnel. licenses.

Also, once the AP comes up, the managed device checks if the RFP license was acquired by the AP on the primary zone and the data zone managed device. Else, MultiZone is be disabled on that AP.

The show ap license-usage command does not count licenses on the data zone managed device for APs that connect to it as a data zone AP.

Hybrid CPsec, Mesh AP, and Mobility Controller Virtual Appliance Support for MultiZone

CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller., Mesh AP, and Mobility Controller Virtual Appliance are supported in MultiZone deployments. The CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. acts as a hybrid CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. that is enabled or disabled independently for each zone. MultiZone is supported for Mobility Controller Virtual Appliance with CPsec Control Plane Security. CPsec is a secure form of communication between a controller and APs to protect the control plane communications. This is performed by means of using public-key self-signed certificates created by each conductor controller. enabled. Therefore, a combination of hardware controllers and Mobility Controller Virtual Appliance are supported. Mesh is supported on MultiZone only for IPv4.

AP LACP Support for MultiZone

Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP can no longer be used to stripe the traffic as the AP has GRE Generic Routing Encapsulation. GRE is an IP encapsulation protocol that is used to transport packets over a network. tunnels to more than one managed device. Therefore LACP Link Aggregation Control Protocol. LACP is used for the collective handling of multiple physical ports that can be seen as a single channel for network traffic purposes. is used to stripe traffic on a per UAC basis. That is, the clients or users on the same AP are steered to different UACs and traffic is striped to the UACs.

When MultiZone is enabled, the Striping LMS Local Management Switch. In multi-controller networks, each controller acts as an LMS and terminates user traffic from the APs, processes, and forwards the traffic to the wired network. IP is not sent to AP. The striping of traffic for the Ethernet Ethernet is a network protocol for data transmission over LAN. interfaces is according to the UAC node.

Client Match Support for MultiZone

The ClientMatch features like sticky-client and band Band refers to a specified range of frequencies of electromagnetic radiation. steering are supported in a MultiZone deployment for Campus APs Campus APs are used in private networks where APs connect over private links (LAN, WLAN, WAN or MPLS) and terminate directly on controllers. Campus APs are deployed as part of the indoor campus solution in enterprise office buildings, warehouses, hospitals, universities, and so on.. ClientMatch in each zone functions independently by controlling clients that are associated to the Virtual APs owned by that zone.

Key Considerations